Using secrets in GItHub workflows for private repositories

Question

I'm trying to use the GitHub workflows with the secrets. My setup is:

• Free plan
• Private org
• Private repo
• Secret in the org scope

The problem is that the secret evaluates into an empty string when I use it like this:

echo ${{ secrets.CI_TOKEN }}

What's interesting is that it seems like the workflow code itself is perfectly legit because it starts evaluating the secret into *** when I override it in the repo scope.

Then I've noticed a possible cause of that problem. The org secrets UI is kind of contradictory. First it says that I can not use secrets for private repos on a free plan but then I can choose the third option and choose that private repos manually.

So I wonder whether the free plan actually supports secrets in private repos of private orgs when you select repos manually or not?

Answer 1

I accidentally found some information on the repo secrets page:

And it turns out that selecting private repos manually for the org secret is just a broken and misleading UI. You can choose those private repos but it's not gonna work.

I think this UI should be reworked to exclude private repos from that list.

Answer 2

So I wonder are secrets supposed to work when you choose them manually or not?

For private repos, selecting them explicitely is needed.

The documentation also mentions:

With the exception of GITHUB_TOKEN, secrets are not passed to the runner when a workflow is triggered from a forked repository.

Test them with:

steps:
  - shell: bash
    env:
      SUPER_SECRET: ${{ secrets.SuperSecret }}
    run: |
      example-command "$SUPER_SECRET"