Using GitHub Secrets involves three distinct steps: creating the secret in the repository settings, injecting it into the workflow via the YAML file, and accessing it within your test code.

Here is the step-by-step process:

Step 1: Add the Secret to GitHub

  1. Navigate to your repository on GitHub.

  2. Click on the Settings tab.

  3. In the left sidebar, go to Secrets and variables > Actions.

  4. Click New repository secret.

  5. Name: Give it a name (convention is usually uppercase, e.g., DB_PASSWORD or API_KEY).

  6. Secret: Paste your secure string.

  7. Click Add secret.

Step 2: Expose the Secret in your Workflow

Secrets are not automatically available to your build steps for security reasons. You must explicitly map them to an Environment Variable in your .github/workflows/your_workflow.yml file.

name: Run Rapise Tests

# This makes the workflow manually triggerable from the Actions tab.
# It's the direct equivalent of Azure DevOps' "trigger: none".
on:
  workflow_dispatch:

jobs:
  run-rapise:
    # This is the equivalent of "pool: vmImage: ubuntu-latest"
    runs-on: ubuntu-latest

    steps:
    # Step 1: Check out the repository code
    # This is done automatically in Azure DevOps, but it is a required explicit step in GitHub Actions.
    - name: Check out repository
      uses: actions/checkout@v4

    # Step 2: Install Node.js
    # This is the equivalent of the "NodeTool@0" task.
    - name: Install Node.js 22
      uses: actions/setup-node@v4
      with:
        node-version: '22.x'

    # Step 3: Install Rapise
    # The 'run' keyword is the equivalent of 'script'.
    - name: Install Rapise
      run: |
        echo "Installing Rapise..."
        npm install rapise.tgz

    # Step 4: Run the Rapise Launcher
    - name: Run Rapise Launcher
      # This is where you inject the secret
      env:
        # Left side: Name of the variable inside your code/terminal
        # Right side: The reference to the GitHub Secret
        MY_TEST_PASSWORD: ${{ secrets.DB_PASSWORD }}    
      run: |
        echo "Launching Rapise..."
        npx rapiselauncher -c RepositoryConnection.xml -t 925 --details --param "g_browserLibrary=Selenium - ChromeHeadless"

Step 3: Access the Secret in your Code

Once mapped to an environment variable in Step 2, your code accesses it exactly like any other system environment variable.

const password = process.env.MY_TEST_PASSWORD;

Important Security Notes

  1. Log Masking: GitHub Actions automatically attempts to mask secrets. If your code prints the password to the console (e.g., console.log(password)), GitHub will replace the actual password with *** in the logs. However, do not rely on this. You should never intentionally print secrets to the logs.

  2. Pull Requests from Forks: By default, secrets are not passed to Pull Requests that come from forked repositories (e.g., if an open-source contributor submits code). This prevents malicious code in a PR from stealing your secrets.

  3. GITHUB_TOKEN: GitHub provides a built-in secret called GITHUB_TOKEN for authenticating with the GitHub API. You do not need to create this manually; it is available automatically via ${{ secrets.GITHUB_TOKEN }}.