GitHub Actions deployment with secrets and environments

<p>I need GitHub Actions to deploy to staging and production with secrets (API keys, deploy tokens) scoped per environment, with production requiring manual approval before deploy.</p>

<p>Environment-scoped secrets with approval gates:</p> <div class="highlight"><pre><span></span><code><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Deploy</span> <span class="nt">on</span><span class="p">:</span> <span class="w"> </span><span class="nt">push</span><span class="p">:</span> <span class="w"> </span><span class="nt">branches</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="nv">main</span><span class="p p-Indicator">]</span> <span class="nt">jobs</span><span class="p">:</span> <span class="w"> </span><span class="nt">deploy-staging</span><span class="p">:</span> <span class="w"> </span><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ubuntu-latest</span> <span class="w"> </span><span class="nt">environment</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">staging</span> <span class="w"> </span><span class="nt">steps</span><span class="p">:</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">actions/checkout@v4</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Deploy to staging</span> <span class="w"> </span><span class="nt">env</span><span class="p">:</span> <span class="w"> </span><span class="nt">FLY_API_TOKEN</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">${{ secrets.FLY_API_TOKEN }}</span> <span class="w"> </span><span class="nt">DATABASE_URL</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">${{ secrets.STAGING_DATABASE_URL }}</span> <span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">flyctl deploy --app myapp-staging</span> <span class="w"> </span><span class="nt">deploy-production</span><span class="p">:</span> <span class="w"> </span><span class="nt">needs</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">deploy-staging</span> <span class="w"> </span><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ubuntu-latest</span> <span class="w"> </span><span class="nt">environment</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">production</span><span class="w"> </span><span class="c1"># Requires manual approval in GitHub</span> <span class="w"> </span><span class="nt">steps</span><span class="p">:</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Deploy to production</span> <span class="w"> </span><span class="nt">env</span><span class="p">:</span> <span class="w"> </span><span class="nt">FLY_API_TOKEN</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">${{ secrets.FLY_API_TOKEN }}</span> <span class="w"> </span><span class="nt">DATABASE_URL</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">${{ secrets.PROD_DATABASE_URL }}</span> <span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">flyctl deploy --app myapp-prod</span> </code></pre></div> <p>Key points: - Repository secrets available to all environments; Environment secrets are scoped - environment: production enables required reviewers and protection rules - ${{ vars.NAME }} for non-secret config; ${{ secrets.NAME }} for sensitive values - Secrets are masked in logs -- avoid echoing them - needs: deploy-staging ensures sequential staging -&gt; production flow</p>