How do you store and use secrets in GitHub Actions?
CI/CD & GitOps · Intermediate level
Answer
GitHub Actions secrets are stored at repository, environment, or organization scope and injected into workflows through the secrets context. I scope secrets narrowly, prefer OIDC short-lived cloud credentials, avoid printing secrets, and combine secrets with environment protection rules for production.
Technical explanation
Masking is a safety net, not a complete control; scripts can still leak secrets through files, command arguments, debug output, or third-party tools.
Prefer scoped, short-lived credentials and store only the minimum secrets needed for that job or environment.
Artifacts should be immutable and addressed by version or digest, with metadata linking them to commit SHA and pipeline run.
Jenkins archived artifacts are convenient for diagnostics, but production deployment should consume from a controlled artifact repository or registry.
Workflow files live under .github/workflows and are triggered by events such as push, pull_request, workflow_dispatch, schedule, or release.
Runners should be ephemeral or carefully isolated because workflow code can execute arbitrary commands.
Hands-on example
1. Implement the control for: How do you store and use secrets in GitHub Actions in a GitHub repository that contains a simple service and .github/workflows/ci.yml.
2. Create a workflow with on: [pull_request], jobs: build, test, scan; set permissions: contents: read by default and grant write only to jobs that truly need it.
3. Move cloud deployment from static secrets to OIDC: grant id-token: write to the job, configure cloud trust on repository/ref/environment claims, and remove long-lived keys from repository secrets.
4. Use environments for staging/prod with required reviewers and environment secrets; prefer OIDC cloud login over storing AWS/Azure/GCP access keys.
5. Validate by opening a PR that fails one required check and confirm GitHub blocks merge until the check passes and required reviewers approve.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More CI/CD & GitOps interview questions
- What is CI/CD, and what is the difference between continuous delivery and continuous deployment?
- What are the goals of a CI pipeline beyond just running tests?
- What is Jenkins, and what is the difference between a controller and an agent?
- What is the difference between a freestyle job and a pipeline job in Jenkins?
- What is the difference between a declarative and a scripted Jenkins pipeline?
- What is a Jenkinsfile, and why keep your pipeline as code in the repo?
- Explain the structure of a declarative pipeline (agent, stages, steps, post).
- What is the post section used for, and what are its conditions (success, failure, always)?