Secrets Management
Securely handle sensitive information in your workflows
CI/CD workflows often require access to sensitive information such as API keys, signing certificates, and deployment credentials. This guide explains how to securely manage these secrets in your workflow configurations.
Understanding Secrets in CI/CD
Secrets are sensitive values that should never be committed to your repository but are required for your CI/CD workflows. These include API keys, signing keys, access tokens, and other credentials.
Why Secrets Management Matters
- Prevents exposure of sensitive information in your repository
- Enables secure automation of deployment and distribution
- Allows different team members to run workflows without sharing credentials
- Supports different environments (development, staging, production)
GitHub Actions Secrets
GitHub Actions provides a secure way to store sensitive information as secrets
How GitHub Secrets Work
- Secrets are encrypted environment variables stored in your GitHub repository
- They are only exposed to selected GitHub Actions workflows
- They are masked in logs (hidden from output)
- They can be scoped to repositories, environments, or organizations
Setting Up Secrets in GitHub Actions
- Go to your GitHub repository
- Navigate to Settings → Secrets and variables → Actions
- Click "New repository secret"
- Enter the name and value for your secret
- Click "Add secret"
For more details, see the GitHub Actions encrypted secrets documentation.
Secret Naming Conventions
We recommend using a consistent naming convention for secrets:
ANDROID_KEYSTORE_BASE64: Android signing keystore (Base64 encoded)ANDROID_KEYSTORE_PASSWORD: Android keystore passwordANDROID_KEY_ALIAS: Android signing key aliasANDROID_KEY_PASSWORD: Android signing key passwordIOS_DISTRIBUTION_CERT_BASE64: iOS distribution certificate (Base64 encoded)IOS_PROVISIONING_PROFILE_BASE64: iOS provisioning profile (Base64 encoded)IOS_CERT_PASSWORD: iOS certificate password
Bitrise Secrets
Bitrise provides multiple ways to securely manage sensitive information
How Bitrise Secrets Work
- Secrets can be managed as Environment Variables with the "Sensitive" option enabled
- Secrets are encrypted and masked in build logs
- Secrets can be scoped to specific apps or workflows
- Bitrise also offers Secrets management through the Secrets tab
Setting Up Secrets in Bitrise
- Log in to your Bitrise account
- Navigate to your app
- Go to Workflow Editor → Secrets tab
- Click "Add new" and enter the key and value for your secret
- Toggle "Expose for Pull Requests" only if needed (usually keep this off for sensitive values)
- Click "Add new secret"
Alternatively, you can add secrets as Environment Variables:
- Go to Workflow Editor → Env Vars tab
- Click "Add new"
- Enter the key and value
- Check "Make sensitive" to secure the value
- Click "Add new env var"
For more details, see the Bitrise secrets documentation.
Required Secrets by Context
Different workflow configurations require different sets of secrets
Storage Provider Secrets
| Provider | Required Secrets | Description |
|---|---|---|
| GitHub Artifacts | None | Uses GITHUB_TOKEN automatically |
| Firebase App Distribution | FIREBASE_APP_ID | Your Firebase App ID |
| FIREBASE_TOKEN | Firebase CLI authentication token | |
| Google Drive | GOOGLE_DRIVE_CLIENT_ID | OAuth client ID |
| GOOGLE_DRIVE_CLIENT_SECRET | OAuth client secret | |
| GOOGLE_DRIVE_REFRESH_TOKEN | OAuth refresh token | |
| Amazon S3 | AWS_ACCESS_KEY_ID | AWS access key with S3 permissions |
| AWS_SECRET_ACCESS_KEY | Corresponding AWS secret key | |
| AWS_BUCKET_NAME | Target S3 bucket name |
Platform-Specific Secrets
| Platform | Required Secrets | Description |
|---|---|---|
| Android | ANDROID_KEYSTORE_BASE64 | Base64-encoded keystore file |
| ANDROID_KEYSTORE_PASSWORD | Password for the keystore file | |
| ANDROID_KEY_ALIAS | Alias of the key in the keystore | |
| ANDROID_KEY_PASSWORD | Password for the specific key | |
| iOS | IOS_DISTRIBUTION_CERT_BASE64 | Base64-encoded distribution certificate |
| IOS_PROVISIONING_PROFILE_BASE64 | Base64-encoded provisioning profile | |
| IOS_CERT_PASSWORD | Certificate password |
Notification Secrets
| Notification Type | Required Secrets | Description |
|---|---|---|
| Slack | SLACK_WEBHOOK_URL | Webhook URL for posting to Slack channel |
| Teams | TEAMS_WEBHOOK_URL | Webhook URL for posting to Teams channel |