CI/CD & GitOps Practical By Samson Tanimawo, PhD Published Feb 6, 2026 4 min read

CI Secret Injection

Secrets in CI. The patterns.

The secret injection problem

CI needs secrets: deploy keys, API tokens, database credentials.

Mishandled, secrets leak in logs, env dumps, build artifacts.

Pattern: inject from a vault at runtime, never store in repo or CI config plaintext.

Vault-backed secrets

GitHub Actions: OIDC-issued tokens to AWS, GCP, Azure. No long-lived keys in CI.

Secrets manager: AWS Secrets Manager, GCP Secret Manager, HashiCorp Vault. Pull at runtime.

1Password Connect, Doppler, Infisical for SaaS-friendly options.

Scope and rotation

Each pipeline gets the minimum secrets it needs. Don't share a single CI token across all pipelines.

Rotate secrets at least quarterly. Vault-backed secrets rotate automatically; static secrets need a manual schedule.

Audit access: who or what pulled which secret, when.

Avoid leaking in logs

Mask known secret patterns in CI logs. GitHub Actions does this for `secrets.*`; verify it works.

Avoid `set -x` in shell scripts that handle secrets.

Pre-commit secret scanners (Gitleaks, TruffleHog) catch secrets before they reach CI.

How to migrate

Inventory current secrets. Spreadsheet of where each is used.

Move one pipeline at a time to OIDC + secrets manager. Big-bang migration breaks things.

Set a deadline to retire all static secrets. Track progress weekly.