Storing API keys directly in your code or public repos is a massive security risk—GitHub Secrets solves this by keeping sensitive values encrypted and only accessible to your workflows. Here's a complete, practical guide to setting this up for OpenAI (and other APIs like Tavily):

Step 1: Add Your API Keys to GitHub Secrets #

First, get your keys into GitHub's secure storage:

• Navigate to your repository on GitHub
• Click Settings > Secrets and variables > Actions
• Hit New repository secret
• For the OpenAI key, name it OPENAI_API_KEY and paste your actual key value in the secret field
• Repeat this process for any other keys you need (like TAVILY_API_KEY in the example)

Step 2: Create a GitHub Actions Workflow #

Create a .github/workflows/run-agent.yml file in your repo with the following content. This workflow triggers on pushes to your main and feature-code-dev branches, sets up a Python environment, installs dependencies, and runs your script using the stored secrets:

name: Run Agent Workflow
on:
  push:
    branches: [main, feature-code-dev]

jobs:
  run-agent:
    runs-on: ubuntu-latest
    steps:
      # 1️⃣ Check out your repository code
      - name: Checkout code
        uses: actions/checkout@v3

      # 2️⃣ Set up the specified Python version
      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: '3.12'

      # 3️⃣ Install required Python packages from requirements.txt
      - name: Install dependencies
        run: pip install -r requirements.txt

      # 4️⃣ Optional: Verify secrets are loaded (great for debugging)
      - name: Debug secrets
        run: |
          echo "OPENAI_API_KEY set: ${OPENAI_API_KEY:+Yes}"
          echo "TAVILY_API_KEY set: ${TAVILY_API_KEY:+Yes}"
        env:
          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
          TAVILY_API_KEY: ${{ secrets.TAVILY_API_KEY }}

      # 5️⃣ Execute your Python script with secrets available as environment variables
      - name: Run Agent
        run: python Module1.py
        env:
          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
          TAVILY_API_KEY: ${{ secrets.TAVILY_API_KEY }}

Step 3: Access Secrets in Your Python Script #

In your Module1.py file, you can pull the API keys from the environment using Python's os module:

import os

# Retrieve the secrets from environment variables
openai_api_key = os.getenv("OPENAI_API_KEY")
tavily_api_key = os.getenv("TAVILY_API_KEY")

# Use the keys with their respective libraries (example for OpenAI)
# import openai
# openai.api_key = openai_api_key

Key Tips: #

• The ${{ secrets.OPENAI_API_KEY }} syntax safely injects your encrypted secret into the workflow's environment—never hardcode keys in your YAML or script.
• The debug step uses parameter expansion (${VAR:+Yes}) to confirm secrets are loaded without exposing their actual values in logs.
• Secrets are only accessible to workflows in the same repository—they won't be visible to forks or in public logs.

内容的提问来源于stack exchange，提问作者shreyansh sahay