We use cookies to understand how people use Depot.
Depot
Sign InGet started
Depot CI

Manage secrets and variables

Secrets and variables in Depot CI are scoped to your Depot organization or to a single repository. Repository-scoped secrets override org-wide secrets with the same name.

Organization owners can manage secrets and variables from the Depot CI Settings in the dashboard or from the CLI.

  • Add org-wide or repo-specific secrets and variables.
  • View all org-wide or repo-specific secrets and variables.
  • Remove secrets and variables.

You can't view secret values after you create them. Variable values are plain text and visible in the dashboard and CLI output.

Names must be non-empty and repository-scoped names can't contain a forward slash (/).

Import secrets and variables from GitHub

If you're migrating from GitHub Actions, you can import your existing GitHub secrets and variables into Depot CI with a single command:

depot ci migrate secrets-and-vars

This creates a one-shot GitHub Actions workflow that reads secrets and variables from your GitHub repository and imports them into Depot CI. See depot ci migrate secrets-and-vars in the CLI reference for details.

You can also manage secrets and variables with the Depot CLI. See the examples, or the full CLI reference for all flags and options.

Add secrets to Depot CI using the dashboard

  1. From the Depot CI workflows page, click the settings icon.
  2. In the Secrets section, under Set secret, use the Applies to dropdown to choose the scope.
  3. Enter a Name and Value for the secret. Optionally add a Description.
  4. Click Set secret.

Remove secrets in Depot CI using the dashboard

  1. From the Depot CI page, click the settings icon.
  2. In the Secrets section, find the secret you want to remove and click its actions menu.
  3. Select Remove secret and click Remove to confirm.

Add variables to Depot CI using the dashboard

  1. From the Depot CI page, click the settings icon.
  2. In the Variables section, under Set variable, use the Applies to dropdown to choose the scope.
  3. Enter a Name and Value for the variable. Optionally add a Description.
  4. Click Set variable.

Remove variables in Depot CI using the dashboard

  1. From the Depot CI page, click the settings icon.
  2. In the Variables section, find the variable you want to remove and click its actions menu.
  3. Select Remove variable and click Remove to confirm.

Update secrets and variables in Depot CI using the dashboard

You can update only the description of a secret or variable from the dashboard.

To update a secret or variable value, set it again with the same name. The new value overwrites the old one.

To update a description:

  1. From the Depot CI page, click the settings icon.
  2. Find the secret or variable and click its actions menu.
  3. Select Edit description.
  4. Update the description and click Save.

Manage secrets and variables with the CLI

The Depot CLI supports managing both org-wide and repo-scoped secrets and variables. Repo-scoped secrets and variables override org-wide ones with the same name.

For the full list of flags and options, see the CLI reference.

Examples: Managing secrets with the CLI

Secrets are available in workflows as ${{ secrets.SECRET_NAME }}. Secret values are encrypted and can't be read back after creation.

# Add an org-wide secret (prompts for value)
depot ci secrets add MY_API_KEY

# Add an org-wide secret with value inline
depot ci secrets add MY_API_KEY --value "secret-value"

# Add a repo-scoped secret
depot ci secrets add DATABASE_URL --repo owner/repo --value "postgres://..."

# Add a secret with a description
depot ci secrets add MY_API_KEY --value "secret-value" --description "API key for payment provider"

# List org-wide secrets
depot ci secrets list

# List org-wide and repo-scoped secrets together
depot ci secrets list --repo owner/repo

# Remove one or more secrets (prompts for confirmation)
depot ci secrets remove MY_API_KEY
depot ci secrets remove MY_API_KEY DATABASE_URL

# Remove a repo-scoped secret
depot ci secrets remove DATABASE_URL --repo owner/repo

# Remove without confirmation
depot ci secrets remove MY_API_KEY --force

Examples: Managing variables with the CLI

Variables are available in workflows as ${{ vars.VARIABLE_NAME }}. Their values can be read back via the CLI.

# Add an org-wide variable (prompts for value)
depot ci vars add SERVICE_NAME

# Add an org-wide variable with value inline
depot ci vars add SERVICE_NAME --value "api"

# Add a repo-scoped variable
depot ci vars add DEPLOY_ENV --repo owner/repo --value "production"

# List org-wide variables
depot ci vars list

# List org-wide and repo-scoped variables together
depot ci vars list --repo owner/repo

# Remove one or more variables (prompts for confirmation)
depot ci vars remove SERVICE_NAME
depot ci vars remove SERVICE_NAME DEPLOY_ENV

# Remove a repo-scoped variable
depot ci vars remove DEPLOY_ENV --repo owner/repo

# Remove without confirmation
depot ci vars remove SERVICE_NAME --force