Return a random URL-safe text string, containing nbytes randombytes. The text is Base64 encoded, so on average each byte resultsin approximately 1.3 characters. If nbytes is None or notsupplied, a reasonable default is used.
To be secure againstbrute-force attacks,tokens need to have sufficient randomness. Unfortunately, what isconsidered sufficient will necessarily increase as computers get morepowerful and able to make more guesses in a shorter period. As of 2015,it is believed that 32 bytes (256 bits) of randomness is sufficient forthe typical use-case expected for the secrets module.
For those who want to manage their own token length, you can explicitlyspecify how much randomness is used for tokens by giving an intargument to the various token_* functions. That argument is takenas the number of bytes of randomness to use.
Secrets are variables that you create in an organization, repository, or repository environment. The secrets that you create are available to use in GitHub Actions workflows. GitHub Actions can only read a secret if you explicitly include the secret in a workflow.
For secrets stored at the organization-level, you can use access policies to control which repositories can use organization secrets. Organization-level secrets let you share secrets between multiple repositories, which reduces the need for creating duplicate secrets. Updating an organization secret in one location also ensures that the change takes effect in all repository workflows that use that secret.
For secrets stored at the environment level, you can enable required reviewers to control access to the secrets. A workflow job cannot access environment secrets until approval is granted by required approvers.
Note: If your GitHub Actions workflows need to access resources from a cloud provider that supports OpenID Connect (OIDC), you can configure your workflows to authenticate directly to the cloud provider. This will let you stop storing these credentials as long-lived secrets and provide other security benefits. For more information, see "About security hardening with OpenID Connect"
For example, a secret created at the environment level must have a unique name in that environment, a secret created at the repository level must have a unique name in that repository, and a secret created at the organization level must have a unique name at that level.
If a secret with the same name exists at multiple levels, the secret at the lowest level takes precedence. For example, if an organization-level secret has the same name as a repository-level secret, then the repository-level secret takes precedence. Similarly, if an organization, repository, and environment all have a secret with the same name, the environment-level secret takes precedence.
To make a secret available to an action, you must set the secret as an input or environment variable in the workflow file. Review the action's README file to learn about which inputs and environment variables the action expects. For more information, see "Workflow syntax for GitHub Actions."
When generating credentials, we recommend that you grant the minimum permissions possible. For example, instead of using personal credentials, use deploy keys or a service account. Consider granting read-only permissions if that's all that is needed, and limit access as much as possible.
When generating a personal access token (classic), select the fewest scopes necessary. When generating a fine-grained personal access token, select the minimum permissions and repository access required.
Instead of using a personal access token, consider using a GitHub App, which uses fine-grained permissions and short lived tokens, similar to a fine-grained personal access token. Unlike a personal access token, a GitHub App is not tied to a user, so the workflow will continue to work even if the user who installed the app leaves your organization. For more information, see "Making authenticated API requests with a GitHub App in a GitHub Actions workflow."
Note: Users with collaborator access to a repository can use the REST API to manage secrets for that repository, and users with admin access to an organization can use the REST API to manage secrets for that organization. For more information, see "REST API endpoints for GitHub Actions Secrets."
To create secrets or variables on GitHub for a personal account repository, you must be the repository owner. To create secrets or variables on GitHub for an organization repository, you must have admin access. Lastly, to create secrets or variables for a personal account repository or an organization repository through the REST API, you must have collaborator access.
To create secrets or variables for an environment in a personal account repository, you must be the repository owner. To create secrets or variables for an environment in an organization repository, you must have admin access. For more information on environments, see "Managing environments for deployment."
Note: Organization-level secrets and variables are not accessible by private repositories for GitHub Free. For more information about upgrading your GitHub subscription, see "Upgrading your account's plan".
When creating a secret or variable in an organization, you can use a policy to limit access by repository. For example, you can grant access to all repositories, or limit access to only private repositories or a specified list of repositories.
To provide an action with a secret as an input or environment variable, you can use the secrets context to access secrets you've created in your repository. For more information, see "Contexts" and "Workflow syntax for GitHub Actions."
Secrets cannot be directly referenced in if: conditionals. Instead, consider setting secrets as job-level environment variables, then referencing the environment variables to conditionally run steps in the job. For more information, see "Contexts" and jobs..steps[*].if.
Avoid passing secrets between processes from the command line, whenever possible. Command-line processes may be visible to other users (using the ps command) or captured by security audit events. To help protect secrets, consider using environment variables, STDIN, or other mechanisms supported by the target process.
If you must pass secrets within a command line, then enclose them within the proper quoting rules. Secrets often contain special characters that may unintentionally affect your shell. To escape these special characters, use quoting with your environment variables. For example:
To use secrets that are larger than 48 KB, you can use a workaround to store secrets in your repository and save the decryption passphrase as a secret on GitHub. For example, you can use gpg to encrypt a file containing your secret locally before checking the encrypted file in to your repository on GitHub. For more information, see the "gpg manpage."
In your GitHub Actions workflow, use a step to call the shell script and decrypt the secret. To have a copy of your repository in the environment that your workflow runs in, you'll need to use the actions/checkout action. Reference your shell script using the run command relative to the root of your repository.
You can use Base64 encoding to store small binary blobs as secrets. You can then reference the secret in your workflow and decode it for use on the runner. For the size limits, see "Using secrets in GitHub Actions."
Note: Using another shell might require different commands for decoding the secret to a file. On Windows runners, we recommend using a bash shell with shell: bash to use the commands in the run step above.
While GitHub automatically redacts secrets printed to workflow logs, runners can only delete secrets they have access to. This means a secret will only be redacted if it was used within a job. As a security measure, you can delete workflow run logs to prevent sensitive values being leaked. For more information, see "Using workflow run logs."
In terms of Docker Swarm services, a secret is a blob of data, such as apassword, SSH private key, SSL certificate, or another piece of data that shouldnot be transmitted over a network or stored unencrypted in a Dockerfile or inyour application's source code. You can use Docker secrets to centrally managethis data and securely transmit it to only those containers that need access toit. Secrets are encrypted during transit and at rest in a Docker swarm. A givensecret is only accessible to those services which have been granted explicitaccess to it, and only while those service tasks are running.
Docker secrets are only available to swarm services, not tostandalone containers. To use this feature, consider adapting your containerto run as a service. Stateful containers can typically run with a scale of 1without changing the container code.
Another use case for using secrets is to provide a layer of abstraction betweenthe container and a set of credentials. Consider a scenario where you haveseparate development, test, and production environments for your application.Each of these environments can have different credentials, stored in thedevelopment, test, and production swarms with the same secret name. Yourcontainers only need to know the name of the secret to function in allthree environments.
You can also use secrets to manage non-sensitive data, such as configurationfiles. However, Docker supports the use ofconfigsfor storing non-sensitive data. Configs are mounted into the container'sfilesystem directly, without the use of a RAM disk.
Microsoft Windows has no built-in driver for managing RAM disks, so withinrunning Windows containers, secrets are persisted in clear text to thecontainer's root disk. However, the secrets are explicitly removed when acontainer stops. In addition, Windows does not support persisting a runningcontainer as an image using docker commit or similar commands.
Secret files with custom targets are not directly bind-mounted into Windowscontainers, since Windows does not support non-directory file bind-mounts.Instead, secrets for a container are all mounted inC:\ProgramData\Docker\internal\secrets (an implementation detail whichshould not be relied upon by applications) within the container. Symboliclinks are used to point from there to the desired target of the secret withinthe container. The default target is C:\ProgramData\Docker\secrets.
c80f0f1006