I'm trying to create a GitHub workflow to publish my app to Google Play, and here's the code I'm using:

- name: Upload to Google Play
uses: r0adkll/upload-google-play@v1
with:
  serviceAccountJson: ${{ SERVICE_ACCOUNT_JSON }}
  packageName: packagename
  releaseFile: app/release/app.aab
  track: internal
  whatsNewDirectory: distribution/whatsnew

I'm not sure how to pass the path to the JSON service account file in the serviceAccountJson field. Should I store the file locally and pass the path, or add the file to GitHub Secrets?

Great question! Let’s break down your two options clearly—with a strong recommendation for the safer approach:

1. Use GitHub Secrets (Highly Recommended) #

First off, the serviceAccountJson field accepts the full raw JSON content of your service account file, not just a file path. This is the secure way to handle credentials, since you never want sensitive auth data in your repo or workflow logs. Here's how to set it up:

• Open your Google Cloud service account JSON file, select all the content, and copy it.
• Head to your GitHub repo → Settings → Secrets and variables → Actions → Click New repository secret.
• Name the secret something like SERVICE_ACCOUNT_JSON, paste the entire JSON content into the value field, then save it.
• Update your workflow to reference the secret correctly (you were almost there—just add secrets. before the name):

  serviceAccountJson: ${{ secrets.SERVICE_ACCOUNT_JSON }}
  

This keeps your credentials locked down, only accessible to your workflow runs.

2. Store the file locally in your repo (Not Recommended) #

If you absolutely have to store the file in your repository (we strongly advise against this for security), you can pass the relative file path directly to serviceAccountJson:

serviceAccountJson: ./path/to/your/service-account-file.json

But a big warning: never commit this file to a public repo, and even in private repos, anyone with repo access can view it. This is a major security risk, so only use this if you have no other option.

Quick Tips #

• The r0adkll/upload-google-play action supports both raw JSON content and file paths for serviceAccountJson, but raw content via secrets is the industry best practice.
• Double-check that your service account has the right permissions in the Google Play Console (like the Google Play Developer role) — otherwise you’ll run into authentication errors even with the correct credentials.

内容的提问来源于stack exchange，提问作者Ankur_009