CI/CD 2026-03-10

Encode Secrets in GitHub Actions Workflows with Base64

Learn how to encode and decode secrets, API keys, and config files using Base64 in GitHub Actions workflows. Copy-paste YAML examples included.

⚙️ Uses: Base64 Encoder — Free

The Problem

You need to pass a multi-line config file, SSL certificate, or service account JSON as a GitHub Actions secret — but GitHub Secrets only accept single-line strings. Base64 encoding solves this cleanly.

Why This Matters

GitHub Actions secrets cannot store multi-line values directly. Base64-encoding a file into a single string lets you store certificates, JSON keys, and config blobs as environment variables. This pattern is used by Google Cloud, Firebase, and Kubernetes deployments every day.

Step-by-Step Instructions

1

Encode your secret file using the tool below

Paste your service account JSON, SSH key, or config file into the Base64 encoder. Copy the resulting single-line Base64 string.

2

Add the Base64 string as a GitHub Secret

Go to your repo → Settings → Secrets and variables → Actions → New repository secret. Name it (e.g., GCP_SERVICE_ACCOUNT_B64) and paste the Base64 string.

3

Decode it inside your workflow YAML

In your .github/workflows/deploy.yml, decode the secret back to a file using echo "$SECRET" | base64 -d > key.json. The file is available only during the job run.

4

Use the decoded file in deployment steps

Reference the decoded file path in subsequent steps — for Google Cloud: gcloud auth activate-service-account --key-file=key.json, or for Kubernetes: kubectl apply -f config.yaml.

Try It Now — Base64 Encoder

Open full page →
Base64 Encoder — Live Demo

All processing happens in your browser — no data is sent to any server.

Before & After Example

Problem: multi-line secret cannot be stored in GitHub Actions 
# GitHub Secrets only accept single-line values
# This will NOT work:
GCP_KEY = {
  "type": "service_account",
  "project_id": "my-project",
  "private_key": "-----BEGIN RSA PRIVATE KEY-----
..."
}
# Error: GitHub Secrets does not support multi-line values
Solution: Base64-encode the file and decode it in the workflow 
# 1. Encode your key file locally:
base64 -i service-account.json | tr -d '\n'
# → eyJ0eXBlIjoic2VydmljZV9hY2NvdW50IiwicHJvamVjdF9pZCI6Im15LXByb2plY3QifQ==

# 2. Store the result as GitHub Secret: GCP_SERVICE_ACCOUNT_B64

# 3. Decode in your workflow:
- name: Decode service account key
  run: echo "${{ secrets.GCP_SERVICE_ACCOUNT_B64 }}" | base64 -d > /tmp/gcp-key.json

- name: Authenticate with Google Cloud
  run: gcloud auth activate-service-account --key-file=/tmp/gcp-key.json

Frequently Asked Questions

Is Base64 encoding secure for secrets?

Base64 is encoding, not encryption — it's reversible. The security comes from storing it in GitHub Secrets (encrypted at rest). Never commit Base64-encoded secrets to your repository.

Why use <code>tr -d '\n'</code> when encoding?

The base64 command adds line breaks every 76 characters. GitHub Secrets require a single line, so stripping newlines with tr -d '\n' is required.

Does this work with GitHub Actions on self-hosted runners?

Yes. The base64 command is available on Linux, macOS, and Windows (via Git Bash). For Windows runners, use certutil -decode or a PowerShell equivalent.

Related Workflows

B64

Encode Secrets in Base64 for Config Files

DevOps
⚙️

Verify Build Artifacts with SHA Hash in CI/CD Pipelines

CI/CD
⚙️

Automate JWT Token Validation in CI/CD Testing Pipelines

CI/CD

Want the full Base64 Encoder experience?

Open the standalone tool for more space, keyboard shortcuts, and additional features.

Open Base64 Encoder →
← All Developer Guides

Related Workflow Guides

B64 Encode Secrets in Base64 for Config Files ⚙️ Verify Build Artifacts with SHA Hash in CI/CD Pipelines ⚙️ Automate JWT Token Validation in CI/CD Testing Pipelines