Skip to main content
HashnodeThe Cloud Engineer’s Log

Command Palette

Search for a command to run...

Day 07 – GitHub Actions: Variables & Secrets Made Simple

Published
2 min read
Day 07 – GitHub Actions: Variables & Secrets Made Simple
A
Abdul Raheem

Tech-driven, cloud-focused, and growth-minded ☁️ Building skills in cloud engineering with a DevOps base. Passionate about learning and solving real problems.

Part of seriesMastering GitHub Actions

If you’ve been following my journey, you know by now that GitHub Actions can automate almost anything. But automation without configuration is like a car without fuel.
This is where variables and secrets come in — they allow us to pass dynamic values and sensitive data into workflows safely.

Let’s break it down in the easiest way possible 👇

🔑 What Are Variables?

Think of variables as named placeholders you can use across workflows.
They help you avoid hardcoding values (like branch names or environment settings).

Example:

- name: Print GitHub variable
  run: echo "Repo default branch is ${{ vars.DEFAULT_BRANCH }}"

👉 Here, instead of writing "main" everywhere, I just store it as a variable. If my repo’s default branch ever changes, I only update it once.

Why variables are awesome:

  • Reduce duplication

  • Easy to update

  • Work across jobs and steps

🔒 What Are Secrets?

Secrets are like variables, but encrypted.
They’re perfect for sensitive data such as API keys, tokens, or passwords.

Example:

- name: Use a secret (masked)
  run: echo "API Key is ${{ secrets.DEMO_API_KEY }}"

👉 Even if you try to echo a secret, GitHub automatically hides (masks) it in logs.
So your secret stays safe, no matter what.

🛠️ Example Workflow – Variables + Secrets in Action

Here’s the exercise I built today 👇

📂 Location: docs/day07/day07-variables-secrets.yml

name: Day07  Variables & Secrets Demo

on:
  workflow_dispatch:

jobs:
  demo:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Print GitHub variable
        run: echo "Repo default branch is ${{ vars.DEFAULT_BRANCH }}"

      - name: Use a secret (masked)
        run: echo "API Key is ${{ secrets.DEMO_API_KEY }}"

⚡ Things to Keep in Mind

  1. Variables are visible – don’t put sensitive info there.

  2. Secrets are secure – always use them for tokens or passwords.

  3. Forked repos don’t inherit secrets – if someone forks your repo, they’ll have to set their own.

  4. Masked output – secrets will always show up as *** in logs, even if echoed.

🏁 Final Thoughts

Variables give your workflows flexibility.
Secrets keep your sensitive data safe.
Together, they turn your GitHub Actions into something truly powerful and secure.

✨ Follow My Journey

I’m learning GitHub Actions step by step and documenting everything publicly.
If you want to level up your automation skills (or just stay inspired), follow along:
👉 GitHub Repo
👉 My Articles

#git#github#devops#devops-articles#devops-journey#learning#learning-journey#learning-in-public#automation#yaml
10 views

Comments

Join the discussion

No comments yet. Be the first to comment.

Mastering GitHub Actions

Part 7 of 8

A practical series on learning GitHub Actions step by step. From writing your first workflow to deploying Docker containers and Terraform, this series will cover everything you need to build powerful CI/CD pipelines.

Up next

Week 1 Recap – My GitHub Actions Journey 🚀

One full week of deep diving into GitHub Actions is officially complete! 🎉This journey started just 7 days ago, and it’s already shaping into something bigger than I expected. In just one week, I’ve: Learned what GitHub Actions are and why they’re ...

More from this blog

T

The Cloud Engineer’s Log

36 posts

A practical logbook of cloud engineering—architecture, infrastructure as code, automation, and real-world problem solving in modern cloud environments.