How to Use GitHub Actions Secrets to Deploy Securely to a Linux Server

Security is one of the biggest concerns when automating deployments.
If you're deploying from GitHub Actions to a VPS, you must never expose:
- SSH keys
- API tokens
- Server credentials
This is where GitHub Actions Secrets come in.
Using GitHub Actions, you can securely store and use sensitive data in your workflows.
This guide will walk you through everything you need to know.
What are GitHub Actions Secrets?
Secrets are encrypted variables stored in your repository settings.
They allow you to:
- Store sensitive data securely
- Access it in workflows
- Prevent leaks
Why Secrets Matter
Without secrets:
- Credentials exposed in code
- High security risk
- Possible server compromise
Common Use Cases
- SSH private keys
- API tokens
- Database credentials
Step 1: Generate SSH Key
ssh-keygen -t rsa -b 4096
Step 2: Add Public Key to Server
ssh-copy-id user@server-ip
Step 3: Add Private Key to GitHub Secrets
Go to:
- Repository → Settings → Secrets
Add:
- SSH_PRIVATE_KEY
Step 4: Use Secrets in Workflow
- name: Setup SSH
run: |
mkdir -p ~/.ssh
echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_rsa
Step 5: Deploy Securely
- name: Deploy
run: |
rsync -avz . user@server-ip:/var/www/app/
Best Practices for Secrets
- Never commit secrets
- Rotate keys regularly
- Use least privilege
Advanced Security
Use Environment-Based Secrets
Different secrets for staging/production.
Use Encrypted Variables
Protect sensitive data further.
Common Mistakes
- Hardcoding credentials
- Exposing logs
- Not rotating keys
Troubleshooting
Permission Denied
Check key permissions.
Workflow Fails
Check logs in Actions.
Real-World Insight
Most security breaches happen because:
👉 credentials are exposed in code
FAQs
Are GitHub secrets safe?
Yes, encrypted and secure.
Can secrets be accessed publicly?
No.
Final Thoughts
Using GitHub Actions secrets is essential for secure deployments. It’s simple, powerful, and protects your infrastructure from major risks.
