Blog
Engineering
2
minutes

GitHub Variables and Nx Reusable Workflows

At Qovery, we build our frontend using Nx and rely on the official nrwl/ci GitHub Actions. Our frontend requires third-party tokens during compile time, but we would like to avoid hardcoding them or using the .env file to define our tokens. The latter exposes our source code directly on GitHub, and even though it's not sensitive data, we don't want it to be easily scraped. As probably many others, we've faced issues when we dug into environment variables using this reusable workflow: https://github.com/nrwl/ci?tab=readme-ov-file#limited-secrets-support https://github.com/nrwl/ci/issues/92 https://github.com/nrwl/ci/issues/44 So, I wanted to share the lessons I learned from this experience.
Camille Tjhoa
Senior Software Engineer
Summary
Twitter icon
linkedin icon

First and foremost, we need to better understand GitHub Actions and its capabilities.

GitHub Secrets vs Variables

Github differentiates secrets from variables.

The main differences that are going to be important here for our use case are:

  • Secrets are for sensitive data and cannot be shared with reusable workflows
  • Variables are non-sensitive data and are shared to reusable workflows through the keyword vars

As mentioned earlier, our data consists of frontend third-party tokens that are not sensitive because they can be found in our public JS source code. Additionally, nx-cloud-main and nx-cloud-agents are reusable workflows.

Therefore, our solution should revolve around Variables.

Note that you can create repository variables in GitHub like this.

Secrets and Variables screen from GitHub

Nrwl/ci reusable workflow configuration

Although GitHub Variables may appear perfect in our case, the reusable workflows from nrwl/ci do not directly utilize the vars keyword internally. Therefore, variables are not used by those workflows as they are.

Upon closer examination of the workflow configuration, we find a parameter called "environment-variables". Unfortunately, this parameter requires environment variables in dotenv format:

NX_MY_TOKEN=1234
NX_MY_OTHER_TOKEN=4567

whereas our vars are an object

{
    NX_MY_TOKEN: 1234
    NX_MY_OTHER_TOKEN: 4567
}

GitHub script to the rescue

To achieve the desired format, we require some intermediate scripting. Luckily, the actions/github-script is the ideal tool for this task. It enables us to convert GitHub variables into the expected Nx format.

  env-vars:
    runs-on: ubuntu-latest
    outputs:
      variables: ${{ steps.var.outputs.variables }}
    steps:
      - name: Setting global variables
        uses: actions/github-script@v7
        id: var
        with:
          script: |
            const varsFromJSON = ${{ toJSON(vars) }}
            const variables = []
            for (const v in varsFromJSON) {
              variables.push(v + '=' + varsFromJSON[v])
            }
            core.setOutput('variables', variables.join('\\n'))
  nx-main:
    needs: [env-vars]
    name: Nx Cloud - Main Job
    uses: nrwl/ci/.github/workflows/[email protected]
    with:
      environment-variables: |
        ${{ needs.env-vars.outputs.variables }}
      # ...

  agents:
    needs: [env-vars]
    name: Nx Cloud - Agents
    uses: nrwl/ci/.github/workflows/[email protected]
    with:
      number-of-agents: 3
      environment-variables: |
        ${{ needs.env-vars.outputs.variables }}

Conclusion

We have learned more about the capabilities of GitHub Actions and are taking our CI to the next level!

We can leverage our environment variables without exposing them directly by using a bit of scripting and the options provided by Nx workflows.

And the best part is we can achieve this without hardcoding them or using a .env file.

Share on :
Twitter icon
linkedin icon
Tired of fighting your Kubernetes platform?
Qovery provides a unified Kubernetes control plane for cluster provisioning, security, and deployments - giving you an enterprise-grade platform without the DIY overhead.
See it in action

Suggested articles

Kubernetes
Platform Engineering
Infrastructure Management
 minutes
January 28, 2026
The top 3 OpenShift pains in 2026 (and how platform teams respond)

Is OpenShift becoming too expensive or complex for your team? Discover the top 3 OpenShift pain points; from the "pricing inversion" to vendor lock-in and see why agile platform teams are migrating to modular, developer-first alternatives like Qovery.

Mélanie Dallé
Senior Marketing Manager
AI
Qovery
3
 minutes
January 28, 2026
How Qovery uses Qovery to speed up its AI project

Discover how Qovery leverages its own platform to accelerate AI development. Learn how an AI specialist deployed a complex stack; including LLMs, QDrant, and KEDA - in just one day without needing deep DevOps or Kubernetes expertise. See how the "dogfooding" approach fuels innovation for our DevOps Copilot.

Romain Gérard
Staff Software Engineer
Product
4
 minutes
January 27, 2026
Scale What Matters, Not Just CPU - Welcome Keda autoscaling

Not every workload should scale on CPU. Qovery brings event-driven autoscaling into the application lifecycle, letting applications scale on real signals like queue depth or request latency.

Alessandro Carrano
Head of Product
DevOps
Kubernetes
Platform Engineering
15
 minutes
January 26, 2026
10 Red-Hat OpenShift Alternatives to Reduce Cost and Complexity in 2026

Fed up with OpenShift? Compare the top 10 enterprise alternatives. Discover how modern Kubernetes management platforms like Qovery reduce TCO, simplify Day 2 Ops, and scale AI workloads.

Morgan Perry
Co-founder
Kubernetes
DevOps
9
 minutes
January 26, 2026
Top 10 Rancher alternatives in 2026: Beyond cluster management

Looking for Rancher alternatives? Compare the top 10 Kubernetes Management Platforms for 2026. From Qovery to OpenShift, find the best tool to scale multi-cluster operations and reduce TCO.

Morgan Perry
Co-founder
Internal Developer Platform
DevOps
 minutes
January 23, 2026
PaaS vs. DIY IDP: The Fastest Path to a Self-Service Cloud

Building an Internal Developer Platform (IDP) from scratch seems cheaper, but the maintenance costs add up. Discover why a modern PaaS on your own infrastructure is the faster, smarter path to a self-service cloud.

Mélanie Dallé
Senior Marketing Manager
Heroku
15
 minutes
January 22, 2026
Top 10 Heroku Alternatives in 2026: When Simplicity Hits the Scaling Wall

Escape rising Heroku costs & outages. Compare top alternatives that deliver PaaS simplicity on your own cloud and scale without limits.

Mélanie Dallé
Senior Marketing Manager
DevOps
Developer Experience
9
 minutes
January 22, 2026
Top 10 DevOps Automation Tools in 2026 to Streamline Mid-Market Infrastructure

Scale your engineering organization without the headcount hit. Compare the top 10 DevOps automation tools for mid-market teams, from IaC leaders like Terraform to unified platforms like Qovery.

Mélanie Dallé
Senior Marketing Manager

It’s time to change
the way you manage K8s

Turn Kubernetes into your strategic advantage with Qovery, automating the heavy lifting while you stay in control.

Talk to an expertGet Qovery free