{"meta":{"title":"Secrets reference","intro":"Find technical information about secrets in GitHub Actions.","product":"GitHub Actions","breadcrumbs":[{"href":"/en/actions","title":"GitHub Actions"},{"href":"/en/actions/reference","title":"Reference"},{"href":"/en/actions/reference/security","title":"Security"},{"href":"/en/actions/reference/security/secrets","title":"Secrets"}],"documentType":"article"},"body":"# Secrets reference\n\nFind technical information about secrets in GitHub Actions.\n\n## Naming your secrets\n\n> \\[!TIP]\n> To help ensure that GitHub redacts your secrets in logs correctly, avoid using structured data as the values of secrets.\n\nThe following rules apply to secret names:\n\n* Can only contain alphanumeric characters (`[a-z]`, `[A-Z]`, `[0-9]`) or underscores (`_`). Spaces are not allowed.\n* Must not start with the `GITHUB_` prefix.\n* Must not start with a number.\n* Are case insensitive when referenced. GitHub stores secret names as uppercase regardless of how they are entered.\n* Must be unique to the repository, organization, or enterprise where they are created.\n\nIf a secret with the same name exists at multiple levels, the secret at the lowest level takes precedence. For example, if an organization-level secret has the same name as a repository-level secret, then the repository-level secret takes precedence. Similarly, if an organization, repository, and environment all have a secret with the same name, the environment-level secret takes precedence.\n\n## Limits for secrets\n\nYou can store up to 1,000 organization secrets, 100 repository secrets, and 100 environment secrets.\n\nA workflow created in a repository can access the following number of secrets:\n\n* All 100 repository secrets.\n* If the repository is assigned access to more than 100 organization secrets, the workflow can only use the first 100 organization secrets (sorted alphabetically by secret name).\n* All 100 environment secrets.\n\nSecrets are limited to 48 KB in size. To store larger secrets, see [Using secrets in GitHub Actions](/en/actions/how-tos/security-for-github-actions/security-guides/using-secrets-in-github-actions#storing-large-secrets).\n\n## When GitHub Actions reads secrets\n\nOrganization and repository secrets are read when a workflow run is queued, and environment secrets are read when a job referencing the environment starts.\n\n## Automatically redacted secrets\n\nGitHub automatically redacts the following sensitive information from workflow logs.\n\n> \\[!NOTE] If you would like other types of sensitive information to be automatically redacted, please reach out to us in our [community discussions](https://github.com/orgs/community/discussions?discussions_q=is%3Aopen+label%3AActions).\n\n* 32-byte and 64-byte Azure keys\n* Azure AD client app passwords\n* Azure Cache keys\n* Azure Container Registry keys\n* Azure Function host keys\n* Azure Search keys\n* Database connection strings\n* HTTP Bearer token headers\n* JWTs\n* NPM author tokens\n* NuGet API keys\n* v1 GitHub installation tokens\n* v2 GitHub installation tokens (`ghp`, `gho`, `ghu`, `ghs`, `ghr`)\n* v2 GitHub PATs\n\n## Security\n\nFor security best practices using secrets, see [Secure use reference](/en/actions/reference/secure-use-reference#use-secrets-for-sensitive-information)."}