Mastering GitHub Actions Variables (2025): Common Mistakes and Best Practices
GitHub Actions variables store configuration values that can be reused across workflows, jobs, and steps. You can define them as environment variables (env), configuration variables (vars), or secrets. They make workflows maintainable, secure, and flexible by centralizing configuration.
Think of it this way: env provides workflow-scoped variables, vars offers repository and organization-wide configuration, and secrets secures sensitive values.
Table of Contents
Introduction: Why Variables Matter in CI/CD Workflows
When you first start writing GitHub Actions workflows, hardcoding values seems harmless. You set your Docker image tag to latest, put us-east-1 directly in your deploy step, and move on. Then you need to deploy to a staging environment, or switch regions, or update that image tag across twelve different workflows. Suddenly you’re hunting through YAML files, making the same change repeatedly, and wondering why you didn’t plan ahead.
Variables solve this problem by applying the DRY principle to your CI/CD pipelines. Instead of scattering configuration values throughout your workflows, you define them once and reference them everywhere. When something changes, you update a single source of truth rather than performing error-prone find-and-replace operations across multiple files.
GitHub Actions gives you three distinct ways to work with variables, each serving different needs. Environment variables using the env key let you scope configuration to specific workflows, jobs, or steps. Configuration variables accessed through the vars context provide repository-wide and organization-wide settings that work across multiple workflows. Secrets offer encrypted storage for sensitive data like API keys and passwords.
In this guide, you’ll learn how each variable type works, when to use which approach, and how to combine them effectively. We’ll cover practical patterns I’ve used in production systems, common pitfalls that waste debugging time, and techniques for building maintainable pipelines that your team can understand six months from now.
Environment Variables in GitHub Actions (env)
Environment variables represent the most straightforward way to define reusable values in your workflows. You declare them using the env key at three different scopes: workflow level, job level, or step level. Each scope follows the same syntax but determines where the variable becomes accessible.
When you define an environment variable at the workflow level, every job and step in that workflow can access it. Job-level variables are available to all steps within that specific job. Step-level variables exist only for that individual step. This scoping hierarchy lets you establish broad defaults while allowing specific overrides where needed.
GitHub Actions: Using environment variables
name: Multi-scope Environment Variables
on: push
# Workflow-level: available everywhere
env:
DEFAULT_REGION: us-east-1
NODE_VERSION: '18'
jobs:
build:
runs-on: ubuntu-latest
# Job-level: overrides workflow defaults for this job
env:
DEFAULT_REGION: us-west-2
BUILD_ENV: production
steps:
- name: Show environment
# Step-level: only exists in this step
env:
CUSTOM_MESSAGE: Building in production
run: |
echo "Region: $DEFAULT_REGION" # Shows us-west-2 (job override)
echo "Node: $NODE_VERSION" # Shows 18 (inherited)
echo "Env: $BUILD_ENV" # Shows production (job-level)
echo "$CUSTOM_MESSAGE" # Shows custom message
Accessing environment variables differs between shell commands and YAML expressions. In shell scripts within run blocks, you use standard shell syntax like $DEFAULT_REGION or ${DEFAULT_REGION}. In YAML contexts outside run blocks, you must use GitHub’s expression syntax: ${{ env.DEFAULT_REGION }}. This distinction causes confusion because the same variable requires different syntax depending on where you reference it.
steps:
- name: YAML context access
if: ${{ env.BUILD_ENV == 'production' }} # YAML expression required
run: echo "Shell access works here: $BUILD_ENV" # Shell syntax
- name: Using in with parameters
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }} # YAML expression required
The most common pitfall is attempting to use shell syntax in YAML contexts or forgetting the expression syntax entirely. When you write if: env.BUILD_ENV == 'production' without the ${{ }} wrapper, GitHub treats it as a literal string comparison rather than evaluating the variable. Always wrap environment variable references in expression syntax when they appear in YAML keys like if, with, or matrix definitions.
Configuration Variables (vars)
Configuration variables entered the GitHub Actions ecosystem as a cleaner way to manage repository and organization-wide settings. Unlike environment variables that you define within workflow files, configuration variables live in your repository or organization settings. You access them through the vars context using syntax like ${{ vars.MY_VAR }}.
The key advantage of configuration variables is centralized management outside your workflow code. When you need to change a shared value like a deployment region or Docker registry URL, you modify it once in the GitHub UI rather than editing multiple workflow files. This separation of configuration from code follows infrastructure-as-code best practices and makes it easier for non-developers to update settings without touching YAML.
You can define configuration variables at three levels: repository, organization, and environment. Repository variables apply to all workflows in that specific repository. Organization variables work across all repositories in your GitHub organization. Environment variables (not to be confused with env in workflows) tie to specific environments like staging or production, letting you maintain different configurations per deployment target.
GitHub configuration variables reference
name: Using Configuration Variables
on: push
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Access repository vars
run: |
echo "Deploying to region: ${{ vars.AWS_REGION }}"
echo "Using image: ${{ vars.DOCKER_IMAGE_NAME }}"
echo "Version: ${{ vars.APP_VERSION }}"
- name: Conditional based on vars
if: vars.ENABLE_DEPLOYMENT == 'true'
run: echo "Deployment enabled via configuration variable"
- name: Use in action inputs
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: ${{ vars.AWS_REGION }}
Configuration variables require the ${{ }} expression syntax everywhere you use them. Unlike environment variables that allow shell syntax in run blocks, vars only works within GitHub’s expression language. Attempting to access $vars.AWS_REGION in a shell command will fail because the variable doesn’t get exported to the shell environment automatically.
When you need to use configuration variables in shell scripts, assign them to environment variables first. This pattern gives you the best of both worlds: centralized configuration management with familiar shell syntax.
steps:
- name: Convert vars to env for shell use
env:
AWS_REGION: ${{ vars.AWS_REGION }}
IMAGE_TAG: ${{ vars.DOCKER_IMAGE_TAG }}
run: |
# Now accessible as regular environment variables
aws s3 ls --region $AWS_REGION
docker pull myregistry/app:$IMAGE_TAG
One limitation you’ll encounter is that configuration variables don’t support dynamic property access. You cannot write ${{ vars[matrix.region] }} to look up variables based on matrix values or other computed strings. This restriction exists because GitHub evaluates expressions before runtime, and the vars context doesn’t support bracket notation for dynamic keys.
Secrets
Secrets provide encrypted storage for sensitive values that should never appear in logs or be accessible to unauthorized users. GitHub encrypts secrets using libsodium sealed boxes, and they remain encrypted until your workflow explicitly accesses them. This security model differs fundamentally from environment variables and configuration variables, which are visible in workflow files and repository settings.
The most important practice with secrets is never using them directly in shell commands or places where they might get logged. When you write run: echo ${{ secrets.API_KEY }}, GitHub’s log redaction might catch it, but you’re relying on post-processing rather than preventing exposure. Instead, assign secrets to environment variables within the step, which prevents accidental leakage through error messages or debug output.
Managing encrypted secrets in GitHub
name: Safe Secret Usage
on: push
jobs:
deploy:
runs-on: ubuntu-latest
steps:
# UNSAFE: secret appears directly in command
- name: Bad practice
run: curl -H "Authorization: Bearer ${{ secrets.API_TOKEN }}" api.example.com
# SAFE: secret assigned to env, used indirectly
- name: Good practice
env:
API_TOKEN: ${{ secrets.API_TOKEN }}
DB_PASSWORD: ${{ secrets.DATABASE_PASSWORD }}
run: |
# Secrets now in environment, not visible in YAML
curl -H "Authorization: Bearer $API_TOKEN" api.example.com
psql "postgresql://user:$DB_PASSWORD@host/db"
GitHub automatically redacts exact secret values from logs, replacing them with asterisks. However, this redaction operates on literal string matching. If your secret is abc123 and a log message happens to contain abc followed by 123 from different sources, the redaction might miss it. More importantly, if you manipulate the secret in ways that create derived values, those derived values won’t be redacted unless GitHub can trace them back to the original secret.
Secrets follow a precedence hierarchy similar to configuration variables. Repository secrets apply to all workflows in the repository. Organization secrets work across repositories. Environment secrets tie to specific environments and can override repository or organization secrets with the same name. When multiple secrets exist with the same name at different levels, the most specific one wins: environment beats repository beats organization.
name: Secret Precedence
on: push
jobs:
staging-deploy:
runs-on: ubuntu-latest
environment: staging # Uses staging environment secrets
steps:
- name: Deploy with environment-specific secret
env:
API_KEY: ${{ secrets.API_KEY }} # Gets staging version
run: ./deploy.sh
production-deploy:
runs-on: ubuntu-latest
environment: production # Uses production environment secrets
steps:
- name: Deploy with environment-specific secret
env:
API_KEY: ${{ secrets.API_KEY }} # Gets production version
run: ./deploy.sh
One subtle behavior catches people off guard: you cannot use secrets in if conditions that determine whether a job or step runs. GitHub evaluates conditional expressions before jobs execute, and at that point it won’t expose secret values for security reasons. If you need conditional logic based on a secret’s presence or value, you must check it within a step’s run block rather than in the job or step’s if clause.
Comparing env vs vars vs secrets
Understanding when to use environment variables, configuration variables, or secrets requires looking at their characteristics side by side. Each approach serves distinct use cases, and choosing the wrong one creates maintenance headaches or security vulnerabilities.
| Feature | env | vars | secrets |
|---|---|---|---|
| Definition Location | Workflow YAML file | Repository/Org settings | Repository/Org settings |
| Scope | Workflow/Job/Step | Repository/Org/Environment | Repository/Org/Environment |
| Visibility | Plain text in YAML | Plain text in settings | Encrypted, redacted in logs |
| Access Syntax | ${{ env.X }} or $X in shell | ${{ vars.X }} only | ${{ secrets.X }} only |
| Best For | Workflow-specific config | Shared, non-sensitive config | API keys, tokens, passwords |
| Override Behavior | Inner scope overrides outer | Environment > Repo > Org | Environment > Repo > Org |
| Version Control | Yes, committed to repo | No, external to repo | No, external to repo |
| Dynamic Access | Limited | No | No |
Environment variables excel when configuration lives with the code. If different workflows need different values, or if the configuration is workflow-specific logic rather than deployment settings, environment variables keep everything together. They make sense for build flags, test configurations, or workflow orchestration variables that have no meaning outside the specific pipeline.
Configuration variables suit shared settings that apply across multiple workflows but aren’t sensitive. Think deployment regions, feature flags, Docker image names, or version numbers. The centralized management means you can update these values without pushing code changes, which is particularly valuable when non-developers need to modify configurations or when you want to change behavior across many repositories simultaneously.
Secrets are non-negotiable for anything sensitive: API tokens, passwords, private keys, or any credential that could cause harm if exposed. The encryption and redaction provide defense in depth, though they don’t excuse poor security practices like echoing secrets to logs or using them in ways that create derivative values.
Name collisions between these three types follow a precedence that sometimes surprises people. When you have an env variable, a vars variable, and a secret all named API_KEY, they don’t override each other because they exist in different contexts. The env.API_KEY, vars.API_KEY, and secrets.API_KEY references access different values. However, if you assign all three to shell environment variables with the same name, the last assignment wins within that shell context.
steps:
- name: Name collision example
env:
# All three assignments create $CONFIG in shell
CONFIG: ${{ vars.CONFIG }} # This value
CONFIG: ${{ secrets.CONFIG }} # Gets overwritten by this
CONFIG: local-override # Which gets overwritten by this
run: echo "$CONFIG" # Prints: local-override
The practical lesson is to maintain distinct naming conventions. I prefix environment variables with workflow-specific terms like BUILD_ or TEST_, configuration variables with domain terms like AWS_ or DOCKER_, and avoid naming collisions entirely by keeping secrets specific to their purpose like PROD_API_KEY rather than generic API_KEY.
Advanced Use & Limitations
Once you understand the basics of GitHub Actions variables, you’ll inevitably try to do something clever that the system doesn’t support. The expression language has guardrails that prevent certain patterns, and understanding these limitations saves hours of debugging when your seemingly logical syntax fails.
The most frequent advanced use case is conditional variable access based on runtime values. You might have different configuration variables for different regions and want to select the right one dynamically. Your intuition says to write ${{ vars[format('CONFIG_{0}', matrix.region)] }}, but this fails because the vars context doesn’t support bracket notation or dynamic keys.
# This DOES NOT WORK - vars doesn't support dynamic indexing
jobs:
deploy:
strategy:
matrix:
region: [us-east-1, eu-west-1, ap-south-1]
steps:
- name: Attempt dynamic vars access
run: echo "${{ vars[format('REGION_{0}', matrix.region)] }}" # FAILS
The workaround involves creating a mapping step that outputs the correct value, then consuming that output in subsequent steps. This approach feels verbose but provides reliable conditional logic that the expression language can evaluate.
jobs:
setup:
runs-on: ubuntu-latest
outputs:
config: ${{ steps.select.outputs.config }}
steps:
- name: Select configuration
id: select
run: |
# Use shell logic to map values
case "${{ matrix.region }}" in
us-east-1) CONFIG="${{ vars.CONFIG_US_EAST }}" ;;
eu-west-1) CONFIG="${{ vars.CONFIG_EU_WEST }}" ;;
ap-south-1) CONFIG="${{ vars.CONFIG_AP_SOUTH }}" ;;
*) echo "Unknown region"; exit 1 ;;
esac
echo "config=$CONFIG" >> $GITHUB_OUTPUT
deploy:
needs: setup
runs-on: ubuntu-latest
steps:
- name: Use selected config
run: echo "Config: ${{ needs.setup.outputs.config }}"
Another limitation appears when trying to compute variables from other variables within the YAML itself. You cannot write ${{ env.PREFIX + '_' + env.SUFFIX }} because the expression language doesn’t support string concatenation with the plus operator. Instead, you use the format function or perform concatenation in shell scripts.
steps:
- name: String concatenation in expressions
env:
# Use format function for concatenation
FULL_NAME: ${{ format('{0}-{1}', vars.PROJECT, vars.VERSION) }}
# Or do it in shell
run: |
COMBINED="${{ vars.PREFIX }}_${{ vars.SUFFIX }}"
echo "Combined: $COMBINED"
Conditional steps using variables work well when you understand that GitHub evaluates these conditions before the job runs, using only the information available at that time. This means you can use vars and env in conditions, but the values must be statically defined, not computed during the workflow execution.
steps:
- name: Conditionally run based on vars
if: vars.DEPLOY_ENABLED == 'true'
run: ./deploy.sh
- name: Multiple conditions
if: vars.ENVIRONMENT == 'production' && github.ref == 'refs/heads/main'
run: ./production-deploy.sh
# This works because env.BUILD_TYPE is statically defined
- name: Conditional on env
if: env.BUILD_TYPE == 'release'
env:
BUILD_TYPE: release
run: ./build.sh
The key to working within these limitations is accepting that GitHub Actions favors explicit configuration over dynamic computation. When you need complex logic, push it into shell scripts or dedicated steps rather than trying to express everything in YAML expressions. Your workflows become more readable and maintainable as a result.
Debugging & Safe Logging
When variables don’t behave as expected, systematic debugging becomes essential. GitHub Actions provides several techniques for inspecting variable values without compromising security or cluttering your logs with noise.
The most powerful debugging tool is the toJSON function, which serializes entire contexts into readable JSON. When you’re unsure what variables exist or what values they contain, dumping the relevant context reveals everything at once. This approach works for vars, env, secrets, and other built-in contexts like github or matrix.
steps:
- name: Debug all vars
run: echo '${{ toJSON(vars) }}'
- name: Debug environment variables
run: echo '${{ toJSON(env) }}'
- name: Debug github context
run: echo '${{ toJSON(github) }}'
# NEVER do this - exposes all secrets in logs
- name: UNSAFE secret debugging
run: echo '${{ toJSON(secrets) }}' # DON'T DO THIS
For secrets, you must balance debugging needs with security. The safest approach is checking whether a secret exists without revealing its value. You can test for presence using conditional logic or by checking string length, which confirms the secret is set without exposing the actual value.
steps:
- name: Verify secret exists
env:
API_KEY: ${{ secrets.API_KEY }}
run: |
if [ -z "$API_KEY" ]; then
echo "ERROR: API_KEY secret not set"
exit 1
else
echo "API_KEY is configured (length: ${#API_KEY})"
fi
Fallback patterns prevent workflows from failing when optional variables aren’t set. The || operator in expressions provides default values, letting you write defensive code that handles missing configuration gracefully.
steps:
- name: Use vars with fallback
env:
# If vars.REGION not set, use default
REGION: ${{ vars.AWS_REGION || 'us-east-1' }}
# Fallback chain for multiple options
ENV: ${{ vars.ENVIRONMENT || env.DEFAULT_ENV || 'development' }}
run: |
echo "Deploying to region: $REGION"
echo "Environment: $ENV"
When debugging complex workflows, enable step debug logging by setting the ACTIONS_STEP_DEBUG secret to true in your repository. This reveals additional information about how GitHub evaluates expressions and executes steps, though it significantly increases log volume.
Another useful technique is temporarily adding debug steps that show your understanding of what should happen versus what actually happens. These assertion-style checks help isolate whether the problem lies in variable definition, scope, or usage.
steps:
- name: Assert expected configuration
run: |
echo "Expected region: us-west-2"
echo "Actual region: ${{ vars.AWS_REGION }}"
echo "Match: $([ '${{ vars.AWS_REGION }}' = 'us-west-2' ] && echo 'yes' || echo 'no')"
Remember that debugging output persists in your workflow logs, visible to anyone with repository access. Never leave debug steps that expose sensitive patterns or business logic in production workflows. Use them during development, then remove them or gate them behind conditional flags once the workflow stabilizes.
Best Practices
Building maintainable workflows requires consistent patterns that your team can understand and extend. These practices emerged from managing dozens of repositories and hundreds of workflow files, representing the hard lessons learned when apparently clever solutions created maintenance nightmares six months later.
Naming conventions matter more than you think. Establish a consistent pattern across your organization and stick to it. I recommend uppercase with underscores for environment variables and configuration variables, matching shell conventions: AWS_REGION, DOCKER_IMAGE_TAG, DEPLOY_ENABLED. This consistency means anyone reading your workflow can immediately identify variables versus literals.
Scope your variables as narrowly as possible. Workflow-level environment variables create global state that makes it harder to understand where values come from. If only one job needs a variable, define it at the job level. If only one step needs it, define it at the step level. This scoping prevents accidental dependencies and makes refactoring safer.
# Bad: everything at workflow level
env:
NODE_VERSION: '18'
PYTHON_VERSION: '3.11'
DOCKER_IMAGE: app:latest
AWS_REGION: us-east-1
jobs:
node-build: # Doesn't need Python or Docker vars
steps: [...]
python-test: # Doesn't need Node or Docker vars
steps: [...]
# Good: scoped appropriately
jobs:
node-build:
env:
NODE_VERSION: '18'
steps: [...]
python-test:
env:
PYTHON_VERSION: '3.11'
steps: [...]
deploy:
env:
DOCKER_IMAGE: app:latest
AWS_REGION: us-east-1
steps: [...]
Use configuration variables for values that change between environments or need central management. Keep environment variables for workflow-specific logic. This separation means your workflow YAML focuses on orchestration while your repository settings handle configuration. When someone needs to change a deployment target, they modify settings rather than editing code.
Create helper jobs that compute complex variables early in your workflow, then pass results as outputs. This pattern centralizes logic, makes workflows more readable, and provides a clear place to add error handling or validation.
jobs:
config:
runs-on: ubuntu-latest
outputs:
deploy-region: ${{ steps.compute.outputs.region }}
image-tag: ${{ steps.compute.outputs.tag }}
steps:
- name: Compute configuration
id: compute
run: |
# Complex logic to determine values
if [ "${{ github.ref }}" = "refs/heads/main" ]; then
REGION="${{ vars.PROD_REGION }}"
TAG="prod-${{ github.sha }}"
else
REGION="${{ vars.STAGING_REGION }}"
TAG="stage-${{ github.sha }}"
fi
echo "region=$REGION" >> $GITHUB_OUTPUT
echo "tag=$TAG" >> $GITHUB_OUTPUT
deploy:
needs: config
runs-on: ubuntu-latest
steps:
- name: Deploy to computed region
run: |
echo "Region: ${{ needs.config.outputs.deploy-region }}"
echo "Tag: ${{ needs.config.outputs.image-tag }}"
Always provide fallback values for optional configuration. Workflows that fail with cryptic errors when a variable isn’t set waste time and frustrate users. Defensive defaults mean workflows work out of the box while still allowing customization.
Document your variables. Add comments in workflow files explaining what each variable controls and what values are valid. For configuration variables and secrets, maintain a README or documentation page listing all expected variables, their purposes, and example values. Future you (and your teammates) will thank you.
jobs:
deploy:
runs-on: ubuntu-latest
env:
# AWS region for deployment (default: us-east-1)
# Override via vars.AWS_REGION for multi-region setups
REGION: ${{ vars.AWS_REGION || 'us-east-1' }}
# Docker image tag (default: latest)
# Production workflows should set via vars.IMAGE_TAG
TAG: ${{ vars.IMAGE_TAG || 'latest' }}
Audit your workflows periodically for hardcoded values that should be variables. Search for repeated literals like region names, version numbers, or URLs. Each repeated value represents a maintenance burden and potential inconsistency. Extract them to variables with meaningful names.
Real-World Use Cases
Seeing variables in context makes the abstract concrete. These examples come from actual production workflows, simplified to highlight the variable patterns while removing project-specific details.
The first common pattern is managing shared regional configuration across multiple workflows. When you deploy to multiple AWS regions or need different settings per region, configuration variables centralize this information.
name: Multi-Region Deployment
on:
workflow_dispatch:
inputs:
target-region:
description: 'Deployment region'
required: true
type: choice
options:
- us-east-1
- eu-west-1
- ap-south-1
jobs:
deploy:
runs-on: ubuntu-latest
env:
# Use workflow input, fallback to primary region
DEPLOY_REGION: ${{ inputs.target-region || vars.PRIMARY_REGION }}
# Region-specific configuration from vars
ECR_REGISTRY: ${{ vars.ECR_REGISTRY }}
VPC_ID: ${{ vars.VPC_ID }}
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: ${{ env.DEPLOY_REGION }}
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
- name: Deploy to region
run: |
echo "Deploying to $DEPLOY_REGION"
echo "Registry: $ECR_REGISTRY"
echo "VPC: $VPC_ID"
./deploy.sh
The second pattern involves managing Docker image tags across build and deployment workflows. You want different tagging strategies for feature branches versus production releases, with configuration variables controlling the base image names and versions.
name: Build and Tag Images
on: push
jobs:
build:
runs-on: ubuntu-latest
env:
# Base image name from vars, tag computed from context
IMAGE_NAME: ${{ vars.DOCKER_IMAGE_NAME }}
IMAGE_TAG: ${{ github.ref_name }}-${{ github.sha }}
steps:
- uses: actions/checkout@v4
- name: Build image
run: |
FULL_IMAGE="${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}"
docker build -t "$FULL_IMAGE" .
# Tag as latest for main branch
if [ "${{ github.ref }}" = "refs/heads/main" ]; then
docker tag "$FULL_IMAGE" "${{ env.IMAGE_NAME }}:latest"
fi
- name: Push to registry
env:
REGISTRY_USER: ${{ secrets.DOCKER_USERNAME }}
REGISTRY_PASS: ${{ secrets.DOCKER_PASSWORD }}
run: |
echo "$REGISTRY_PASS" | docker login -u "$REGISTRY_USER" --password-stdin
docker push "${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}"
The third pattern combines configuration variables and secrets to manage environment-specific deployments. You need different credentials and endpoints for staging versus production, with the workflow selecting the right values based on which environment it’s deploying to.
name: Environment-Aware Deployment
on:
push:
branches: [main, staging]
jobs:
deploy:
runs-on: ubuntu-latest
# Environment determines which vars and secrets are used
environment: ${{ github.ref == 'refs/heads/main' && 'production' || 'staging' }}
steps:
- uses: actions/checkout@v4
- name: Deploy application
env:
# Vars are environment-specific
API_ENDPOINT: ${{ vars.API_ENDPOINT }}
DATABASE_NAME: ${{ vars.DATABASE_NAME }}
# Secrets are also environment-specific
API_KEY: ${{ secrets.API_KEY }}
DB_PASSWORD: ${{ secrets.DB_PASSWORD }}
run: |
echo "Deploying to ${{ vars.API_ENDPOINT }}"
echo "Database: $DATABASE_NAME"
./deploy.sh --endpoint "$API_ENDPOINT" \
--database "$DATABASE_NAME" \
--api-key "$API_KEY" \
--db-pass "$DB_PASSWORD"
These patterns show how variables reduce duplication and create clear separation between code (the workflow) and configuration (the variables). When requirements change, you update variables in settings rather than modifying workflow files across multiple repositories.
Risks & Future-Proofing
Configuration variables are a relatively recent addition to GitHub Actions, introduced in 2023. While they solve real problems, they’re still evolving, and patterns that work today might need adjustment as GitHub refines the feature.
The primary risk is relying on undocumented behavior or implementation details that could change. For example, the exact precedence rules for variables at different scopes are documented, but edge cases around name resolution in complex workflows might behave differently than expected. Write defensive code that makes precedence explicit rather than relying on implicit resolution order.
Another consideration is the lack of variable validation or typing. When you set a configuration variable to an invalid value, you won’t know until the workflow runs and fails. Build validation into your workflows, checking that required variables exist and contain sensible values before attempting operations that depend on them.
steps:
- name: Validate configuration
run: |
# Check required vars exist
if [ -z "${{ vars.AWS_REGION }}" ]; then
echo "ERROR: AWS_REGION not configured"
exit 1
fi
# Validate format/values
case "${{ vars.AWS_REGION }}" in
us-*|eu-*|ap-*) ;;
*) echo "ERROR: Invalid AWS region"; exit 1 ;;
esac
echo "Configuration validated"
The GitHub Actions roadmap sometimes deprecates features or changes defaults. Monitor the GitHub Changelog and Actions updates to stay informed about changes that might affect your workflows. When GitHub announces deprecations, treat them seriously and plan migration time rather than waiting until features break.
Future-proof your workflows by avoiding patterns that feel like hacks. If you’re working around a limitation in a way that feels fragile, document why you did it and plan to revisit the approach. The most maintainable workflows are those that use features as intended rather than exploiting edge cases.
Consider versioning your workflow patterns. If you have many repositories using similar workflows, create reusable workflows or composite actions that encapsulate variable usage patterns. When you need to update the pattern, you change it once in the reusable workflow rather than updating dozens of repositories.
Conclusion & Key Takeaways
GitHub Actions variables transform workflows from rigid, hardcoded pipelines into flexible, maintainable automation. Understanding the differences between environment variables, configuration variables, and secrets means choosing the right tool for each situation rather than forcing one approach to handle every case.
Environment variables work best for workflow-specific configuration that lives with your code. They provide fine-grained scoping and integrate naturally with shell scripts. Configuration variables excel at sharing non-sensitive values across workflows, enabling centralized management outside your codebase. Secrets handle sensitive data with encryption and redaction, protecting credentials while keeping them accessible to authorized workflows.
The key to success is knowing when to use each type. Ask yourself: Is this value sensitive? Use secrets. Is it shared across workflows or repositories? Use configuration variables. Is it workflow-specific logic? Use environment variables. These questions guide you toward maintainable patterns that your team can sustain long-term.
Start improving your workflows today by auditing them for hardcoded values. Every repeated literal represents a maintenance burden and potential source of errors. Extract configuration into variables with meaningful names, centralize shared settings, and secure sensitive data properly. Your future self will appreciate the effort when you need to make changes six months from now.
Appendix: Variables Quick Reference
Access Syntax Summary
# Environment variables
env:
MY_VAR: value
# Access: ${{ env.MY_VAR }} in YAML, $MY_VAR in shell
# Configuration variables (set in repo/org settings)
# Access: ${{ vars.MY_VAR }} everywhere
# Secrets (set in repo/org settings)
# Access: ${{ secrets.MY_SECRET }} everywhere
Scope vs Use Case Table
| Variable Type | Define Where | Best For | Visibility |
|---|---|---|---|
env | Workflow YAML | Workflow-specific config, temporary values | Committed to repo |
vars | Settings UI | Shared, non-sensitive config across workflows | Outside repo |
secrets | Settings UI | API keys, tokens, passwords, credentials | Encrypted |
Common Debug Commands
# Dump all configuration variables
- run: echo '${{ toJSON(vars) }}'
# Dump environment variables
- run: echo '${{ toJSON(env) }}'
# Check secret presence without exposing value
- env:
SECRET: ${{ secrets.MY_SECRET }}
run: |
if [ -z "$SECRET" ]; then
echo "Secret not set"
else
echo "Secret configured (${#SECRET} chars)"
fi
# View GitHub context
- run: echo '${{ toJSON(github) }}'
Step-by-Step Quick Start Guide
Follow these seven steps to implement variables effectively in any workflow:
1. Define your variables based on sensitivity and scope:
- Sensitive data → secrets
- Shared config → vars
- Workflow-specific → env
2. Access them with correct syntax:
- Use
${{ vars.NAME }}or${{ secrets.NAME }}in YAML - Assign to
envbefore using in shell scripts
3. Use variables in steps and conditions:
- name: Conditional step
if: vars.DEPLOY_ENABLED == 'true'
run: ./deploy.sh
4. Override when needed using scope hierarchy:
- Step-level overrides job-level
- Job-level overrides workflow-level
- Environment overrides repository overrides organization
5. Debug safely without exposing secrets:
- run: echo '${{ toJSON(vars) }}' # Safe
- run: echo '${{ toJSON(secrets) }}' # NEVER do this
6. Review scope to ensure variables are defined at the narrowest level needed.
7. Audit regularly for hardcoded values that should be variables.
FAQs (People Also Ask)
What are variables in GitHub Actions?
Variables in GitHub Actions are reusable configuration values that you can define once and reference throughout your workflows. They come in three types: environment variables (defined with env), configuration variables (accessed via vars), and secrets. Variables eliminate hardcoded values, making workflows more maintainable and flexible. You can define them at different scopes—workflow, job, or step level—and use them in conditions, shell scripts, and action inputs to control workflow behavior dynamically.
What’s the difference between env, vars, and secrets in GitHub Actions?
The main differences lie in where you define them and what they’re designed for. Environment variables (env) are defined directly in workflow YAML files and work best for workflow-specific configuration. Configuration variables (vars) are set in repository or organization settings and are ideal for shared, non-sensitive values like region names or image tags. Secrets are also set in settings but are encrypted and redacted from logs, making them the only choice for sensitive data like API keys or passwords. Each uses different access syntax: env allows shell variable syntax in run blocks, while vars and secrets require the ${{ }} expression syntax everywhere.
How do I use configuration variables (vars) in GitHub Actions?
First, define configuration variables in your repository or organization settings under Settings → Secrets and variables → Actions → Variables tab. Then access them in workflows using ${{ vars.VARIABLE_NAME }} syntax. Unlike environment variables, configuration variables require the expression syntax everywhere—you cannot use $vars.NAME directly in shell commands. If you need to use them in shell scripts, assign them to environment variables first: env: MY_VAR: ${{ vars.MY_VAR }}, then access them as regular shell variables. Configuration variables work great for values like deployment regions, feature flags, or Docker image names that need to be shared across multiple workflows without hardcoding them in YAML.
Can I use vars in GitHub Actions if conditions?
Yes, you can use configuration variables in conditional expressions to control whether jobs or steps execute. The syntax is if: vars.VARIABLE_NAME == 'value' or you can use the full expression format if: ${{ vars.VARIABLE_NAME == 'value' }}. GitHub evaluates these conditions before the job runs, so the variable must be statically defined in your settings. You cannot use secrets in if conditions because GitHub won’t expose secret values during the evaluation phase for security reasons. Configuration variables work well for feature flags or environment-based conditions: if: vars.DEPLOY_ENABLED == 'true' or if: vars.ENVIRONMENT == 'production'.
How can I debug GitHub Actions variables?
The most effective debugging technique is using the toJSON() function to dump entire contexts. For configuration variables, use echo '${{ toJSON(vars) }}' to see all available values. For environment variables, use echo '${{ toJSON(env) }}'. Never dump secrets with toJSON(secrets) as this exposes them in logs. For secrets, verify they exist without revealing values by checking in shell: if [ -z "$SECRET" ]; then echo "not set"; fi. Enable step debug logging by setting the ACTIONS_STEP_DEBUG repository secret to true for more detailed execution information. Use fallback syntax like ${{ vars.NAME || 'default' }} to handle missing variables gracefully and prevent workflow failures.
What are best practices for GitHub Actions variables?
Follow these core practices: Use uppercase with underscores for variable names like AWS_REGION for consistency. Scope variables as narrowly as possible—define them at the step or job level rather than workflow level when they’re not globally needed. Always assign secrets to environment variables before using them in shell commands to prevent accidental exposure. Provide fallback values for optional variables using ${{ vars.NAME || 'default' }} syntax to make workflows resilient. Document your variables with comments explaining their purpose and valid values. Audit workflows regularly to extract repeated literals into variables. Use configuration variables for shared settings, environment variables for workflow-specific config, and secrets exclusively for sensitive data. Create helper jobs that compute complex variables early and pass them as outputs to dependent jobs.
Related Resources
For deeper understanding of GitHub Actions concepts related to variables, explore these guides on thedevopstooling.com:
- GitHub Actions Contexts Explained – Learn about all available contexts including
github,env,vars,secrets,matrix, and more - GitHub Actions Workflow Anatomy – Understand workflow structure, job dependencies, and execution flow
- GitHub Actions Secrets Best Practices – Advanced patterns for managing sensitive data securely
- GitHub Actions Workflow Triggers Guide – Master when and how your workflows execute
- Terraform CI/CD with GitHub Actions – Apply variable patterns to infrastructure automation