Secrets

Tenki does not operate a secrets store. All secrets used in your workflows live in GitHub Actions secrets (repo, environment, or organization) and are injected into the job at runtime through the standard secrets.* mechanism.

This page explains why.

The model

• You store secrets in GitHub Actions (or in your own secret manager pulled in at job-time).
• Tenki provisions a fresh VM for the job.
• GitHub passes the secret values into the runner environment as usual.
• The VM, including any cached secret material, is destroyed when the job ends.

Because the VM is single-use (see Security & Isolation), there is no persistent state where secret material could leak between jobs.

Why we don't run our own secrets store

Two reasons:

1. Smaller blast radius. The fewer places your secrets live, the better. Re-using GitHub's secret store keeps the surface area to systems you already audit and trust.
2. No vendor lock-in. Your workflows remain identical to vanilla GitHub Actions. Migrating to or from Tenki does not require re-keying anything.

See Security & Isolation for the full model.