| | --- |
| | title: Secrets reference |
| | shortTitle: Secrets |
| | intro: 'Find technical information about secrets in {% data variables.product.prodname_actions %}.' |
| | versions: |
| | fpt: '*' |
| | ghec: '*' |
| | ghes: '*' |
| | redirect_from: |
| | - /actions/reference/secrets-reference |
| | --- |
| | |
| | ## Naming your secrets |
| |
|
| | >[!TIP] |
| | > To help ensure that {% data variables.product.prodname_dotcom %} redacts your secrets in logs correctly, avoid using structured data as the values of secrets. |
| | |
| | The following rules apply to secret names: |
| | |
| | {% data reusables.actions.actions-secrets-and-variables-naming %} |
| | |
| | {% data reusables.codespaces.secret-precedence %} Similarly, if an organization, repository, and environment all have a secret with the same name, the environment-level secret takes precedence. |
| | |
| | ## Limits for secrets |
| | |
| | You can store up to 1,000 organization secrets, 100 repository secrets, and 100 environment secrets. |
| | |
| | A workflow created in a repository can access the following number of secrets: |
| | |
| | * All 100 repository secrets. |
| | * If the repository is assigned access to more than 100 organization secrets, the workflow can only use the first 100 organization secrets (sorted alphabetically by secret name). |
| | * All 100 environment secrets. |
| | |
| | Secrets are limited to 48 KB in size. To store larger secrets, see [AUTOTITLE](/actions/how-tos/security-for-github-actions/security-guides/using-secrets-in-github-actions#storing-large-secrets). |
| | |
| | ## When {% data variables.product.prodname_actions %} reads secrets |
| |
|
| | Organization and repository secrets are read when a workflow run is queued, and environment secrets are read when a job referencing the environment starts. |
| |
|
| | ## Automatically redacted secrets |
| |
|
| | {% data variables.product.prodname_dotcom %} automatically redacts the following sensitive information from workflow logs. |
| | |
| | > [!NOTE] If you would like other types of sensitive information to be automatically redacted, please reach out to us in our [community discussions](https://github.com/orgs/community/discussions?discussions_q=is%3Aopen+label%3AActions). |
| | |
| | * 32-byte and 64-byte Azure keys |
| | * Azure AD client app passwords |
| | * Azure Cache keys |
| | * Azure Container Registry keys |
| | * Azure Function host keys |
| | * Azure Search keys |
| | * Database connection strings |
| | * HTTP Bearer token headers |
| | * JWTs |
| | * NPM author tokens |
| | * NuGet API keys |
| | * v1 GitHub installation tokens |
| | * v2 GitHub installation tokens (`ghp`, `gho`, `ghu`, `ghs`, `ghr`) |
| | * v2 GitHub PATs |
| | |
| | ## Security |
| | |
| | For security best practices using secrets, see [AUTOTITLE](/actions/reference/secure-use-reference#use-secrets-for-sensitive-information). |
| | |
