Secrets

Use secrets for storing any sensitive value that you want to access in your Mint workflows. It's common to pass secrets as environment variables into tasks, although you can also pass them to commands directly. Either way, you'll reference the secret using expressions, such as ${{ secrets.your-secret }}.

See the documentation on vaults for configuring vaults to store secrets.

If you want an external variable to use in your runs, but the value is not sensitive, then you can use vars instead of secrets.

Settings Secrets

You can set secrets in the Mint UI, under Vaults.

You can also set secrets using the Mint CLI. See the getting started docs for notes on installing and authenticating the CLI.

To set secrets in the default vault, while passing the values on the command line:

mint vaults set-secrets secret-name-1=secretvalue1 secret-name2=secretvalue2

To set secrets in a different vault:

mint vaults set-secrets --vault your_vault secret-name=secretvalue

You can also pass secrets in a file, formatted with the dotenv format.

mint vaults set-secrets --file secrets.env

The dotenv format expects lines of KEY=value, with double quotes used for multiline secrets, such as this:

SECRETNAME=secretvalue
MULTILINE_SECRET="line 1
line 2"

Note that when using this technique your secret names must align with dotenv's key format.

Secret in Default Vault passed as ENV

You'll often want to pass secrets as environment variables into tasks. This task sets a secret named your-secret in an environment variable named YOUR SECRET. This environment variable will only be set for this task, and not any subsequent tasks which depend on this. In general, it's recommended to pass secret values into each task that needs them. For more details, see the documentation on environment variables.

tasks:
  - key: example-task
    run: ...
    env:
      YOUR_SECRET: ${{ secrets.your-secret }}

Secret in Custom Vault passed as ENV

Given a vault named your_other_vault:

tasks:
  - key: example-task
    run: ...
    env:
      YOUR_SECRET: ${{ vaults.your_other_vault.secrets.your-secret }}

Secret in Default Vault passed in Run Script

Although it's recommended to use environment variables, you can also pass secrets directly into run scripts:

tasks:
  - key: example-task
    run: ./some-script.sh ${{ secrets.your-secret }}

Secret Name Format

Secret names are case sensitive. The may contain alphanumeric characters, underscores (_), and dashes (-).