Chapter 4 Making a GitHub Secret

Learning Objectives: Recognize the purpose of GitHub secrets; Explain how to store your GitHub secrets in a secure way; Create a personal access token (PAT) and store it in your GitHub repository; Test your GitHub secret

4.1 Phase 0: Understanding GitHub Secrets

4.1.1 What Are GitHub Secrets?

GitHub Secrets are encrypted environment variables stored securely in your repository. They allow you to store sensitive information (like usernames, API keys, tokens, passwords) without exposing them in your code. Secrets are only accessible to GitHub Actions during workflow runs and appear as * in logs.

This assignment teaches you a fundamental skill for secure automation in research environments

4.1.2 Why Personal Access Tokens Matter

Personal Access Tokens (PATs) provide secure authentication for GitHub Actions. They’re an alternative to passwords for GitHub authentication. They allow automated workflows to perform actions that require permissions (like creating issues, pushing to repositories, etc.). In research contexts, PATs enable automated data sharing, publication workflows, and collaborative tools

Important: PATs should be treated like passwords - never share them publicly

Often, and in this assignment, you will begin by generating a personal access token in GitHub settings and storing that as a repository secret that can be utilized within workflows/GitHub Actions. But, as mentioned above, GitHub secrets do not always have to be personal access tokens.

4.1.3 Best Practices and Security Considerations

4.1.3.1 Token Management

  • Use descriptive names for tokens to track their purpose
  • Set appropriate expiration dates - shorter is more secure
  • Regularly audit and rotate tokens in production environments
  • Revoke unused tokens to minimize security exposure

4.1.3.2 Secret Storage Best Practices

  • Use specific, descriptive names for secrets
  • Apply principle of least privilege - only grant necessary permissions
  • Never log or print secrets in your workflows
  • Regularly review who has access to repository secrets

4.1.3.3 Research Context Applications

  • API keys for data sources (e.g., cancer databases, genomic repositories)
  • Authentication for computing clusters or cloud services
  • Credentials for automated publication or preprint systems
  • Tokens for collaborative tools and notification systems

4.2 Phase 1: Creating Your Personal Access Token

4.2.1 Step 1: Navigate to GitHub Token Settings

Go to your GitHub profile (click your profile picture in the top right)
Click “Settings” from the dropdown menu
Scroll down to “Developer settings” in the left sidebar (at the bottom)
Click “Personal access tokens”
Select “Tokens (classic)” from the submenu

Navigation path: Profile → Settings → Developer settings → Personal access tokens → Tokens (classic)

4.2.2 Step 2: Generate New Token

Click “Generate new token”
Select “Generate new token (classic)”
GitHub may ask for your password or a 2-factor authenticator (2FA) code - enter it to continue
You’ll be taken to the token creation page

4.2.3 Step 3: Configure Your Token

Add a descriptive note:
     • Use something like “Secret Storage Assignment”
     • This helps you remember what this token is for later

Set expiration:
     • For this assignment, you can set it to 30 days or custom
     • In real research, consider the security vs. convenience trade-off

Select scopes (permissions):
     • Check “repo” - this gives full repository access
     • For this assignment, “repo” scope is sufficient
     • If using a GitHub secret in a GitHub Action/workflow, you may need to select “workflow” as well.
     • In production, use the minimum required permissions

Add a descriptive note. Select 30 days for expiration from the dropdown. Select the scopes you need (repo). Click Generate at the bottom of this page. Keep this tab handy.

4.2.4 Step 4: Generate and Copy Token

Scroll to bottom and click the green
Generate token

button.
CRITICAL: Copy the token immediately - GitHub will only show it once (perhaps keep the window open as you copy it)
The token will look like: ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Warning: If you navigate away without copying the token, you’ll need to create a new one! To create a new one, follow Steps 1-4 (within Phase 1) again.

4.3 Phase 2: Storing the Secret in Your Repository

4.3.1 Step 5: Navigate to Repository Settings

Go to your capstone sandbox repository (not your personal settings)
Click the “Settings” tab at the top of the repository page
In the left sidebar, find “Secrets and variables”
Click “Actions” under “Secrets and variables”

Repository navigation: Repository → Settings → Secrets and variables → Actions

4.3.2 Step 6: Create New Repository Secret

Click the green
New repository secret
button
Enter the secret details:
     Name: ASSIGNMENT_SECRET
     Secret: Paste your personal access token from Step 4
Click the green
Add secret

button

Your repository secret must be named ASSIGNMENT_SECRET exactly. It is case sensitive.

Save your copied personal access token as a repository secret naming it exactly ASSIGNMENT underscore SECRET where everything is capitalized and the two words are separated by an underscore with no spaces

4.3.3 Step 7: Verify Secret Creation

You should see ASSIGNMENT_SECRET listed in your repository secrets
The value will show as “Updated X seconds ago” but won’t display the actual token

If you need to update the secret, click the secret name and choose “Update”

4.4 Phase 3: Testing Your Secret

Because you’ve made changes to your repository settings, but not changes to the files within the repository, we can’t open a Pull Request to run an automatic test/evaluation of your work. Instead, we’ll have to manually trigger the GitHub Action Evaluator Test.

In order to report success or failure, the test will open an Issue in your GitHub repo (since there is no open Pull Request to comment on).

4.4.1 Step 8: Trigger the Evaluation Action

Navigate to the “Actions” tab in your repository
Look for “GitHub Secret Evaluation” in the workflows list on the left
Click on “GitHub Secret Evaluation”
Click the “Run workflow” dropdown (you may need to select branch “main”).
Click green
Run workflow

button again to confirm

Go to the Actions tab (on the top banner) to find the evaluation GitHub Action for the GitHub Secret Assignment in the left panel. From there, select the Run workflow button in the top right. Verify it is running on the main branch and click the green run workflow button.

4.4.2 Step 9: Monitor the Evaluation & Interpret the Results

The evaluation will take a few moments to check if your secret exists and is valid. Don’t worry if it takes a minute - the system needs to verify everything is configured correctly

Watch for the workflow to start running (you’ll see a yellow circle, then green checkmark or red X)
Navigate to the “Issues” tab in your repository
Look for a new issue created by the evaluation system
Click on the issue to see detailed results
Interpret the results and proceed accordingly:
     If the issue title indicates success, and the description of the issue contains a validation, skip to Phase 5.
     If the issue title indicates failure, and the description of the issue contains error messages, visit Phase 4: Troubleshooting and Refinement of these instructions.

4.5 Phase 4: Troubleshooting and Refinement

4.5.1 Step 10: Debug Failures

4.5.1.1 Secret Not Found:

Verify:
Check the secret name: Must be exactly ASSIGNMENT_SECRET
Verify secret location:
     Must be in repository secrets as described in Step 6, not personal settings
     Secret is stored in the correct sandbox repository (not fhdsl/capstone-sandbox but instead your own copy)
Re-create if needed: Delete and recreate the secret with correct name

4.5.1.2 “Invalid token” Error

Verify:
Token was copied correctly (no extra spaces)
Token hasn’t expired
Token has ‘repo’ scope permissions
Token was generated for the correct GitHub account

What to do to fix:
Generate a new PAT: Your token may have expired or been created incorrectly
Check scopes: Ensure “repo” permission is selected
Update the secret: Replace the old token with the new one

4.5.1.3 Workflow Doesn’t Run

In this case, if the workflow doesn’t run, it won’t create an issue reporting on success/failure or you may not be able to find it to manually trigger it in Step 8.

Ensure:
You’re triggering from the correct repository
You’re selecting the main branch
The workflow file (secret_assignment_eval.yml) exists in .github/workflows/
You have permissions to run workflows

4.5.2 Step 11: Re-running Evaluation

If you need to fix issues and re-test:
Make necessary corrections (recreate secret, new token, etc.)
Return to Actions tab
Run the “GitHub Secret Evaluation” workflow again
Check for a new issue with updated results

To troubleshoot this assignment, you may need to regenerate a personal access token in your profile settings and recreate a token within the repository settings. After that you will visit the issues tab on that repository to check if the evaluation action ran successfully.

4.6 Phase 5: Completion

If you are taking this course on Coursera:

Collect Your Validation Code

Once your evaluation action succeeds, copy the validation code from the Issue description. You’ll need the code in order to submit your quiz.

Submit Your Quiz on Coursera

Go to your Coursera Graded Assignment (“Making a GitHub Secret”)
Paste the validation code exactly as provided in the issue
Submit the quiz to get credit for your work

icons from icons8
All illustrations CC-BY.
All other materials CC-BY unless noted otherwise.