integrations · stevehipwell · Mar 19, 2026 · Feb 25, 2026
diff --git a/github/data_source_github_actions_environment_secrets_test.go b/github/data_source_github_actions_environment_secrets_test.go
@@ -24,10 +24,10 @@ func TestAccGithubActionsEnvironmentSecretsDataSource(t *testing.T) {
 			  }
 
 			resource "github_actions_environment_secret" "test" {
-				repository      = github_repository.test.name
-				environment     = github_repository_environment.test.environment
-				secret_name     = "secret_1"
-				plaintext_value = "foo"
+				repository  = github_repository.test.name
+				environment = github_repository_environment.test.environment
+				secret_name = "secret_1"
+				value       = "foo"
 			}
 		`, repoName)
 

diff --git a/github/data_source_github_actions_organization_secrets_test.go b/github/data_source_github_actions_organization_secrets_test.go
@@ -15,9 +15,9 @@ func TestAccGithubActionsOrganizationSecretsDataSource(t *testing.T) {
 
 		config := fmt.Sprintf(`
 			resource "github_actions_organization_secret" "test" {
-				secret_name 		= "org_secret_1_%s"
-				plaintext_value = "foo"
-				visibility      = "all" # going with all as it does not require a paid subscrption
+				secret_name = "org_secret_1_%s"
+				value       = "foo"
+				visibility  = "all" # going with all as it does not require a paid subscrption
 			}
 	`, randomID)
 

diff --git a/github/data_source_github_actions_secrets_test.go b/github/data_source_github_actions_secrets_test.go
@@ -20,9 +20,9 @@ func TestAccGithubActionsSecretsDataSource(t *testing.T) {
 			}
 
 			resource "github_actions_secret" "test" {
-				secret_name 		= "secret_1"
-				repository  		= github_repository.test.name
-				plaintext_value = "foo"
+				secret_name = "secret_1"
+				repository  = github_repository.test.name
+				value       = "foo"
 			}
 		`, repoName)
 

diff --git a/github/data_source_github_dependabot_organization_secrets_test.go b/github/data_source_github_dependabot_organization_secrets_test.go
@@ -15,9 +15,9 @@ func TestAccGithubDependabotOrganizationSecretsDataSource(t *testing.T) {
 
 		config := fmt.Sprintf(`
 			resource "github_dependabot_organization_secret" "test" {
-				secret_name 		= "org_dep_secret_1_%s"
-				plaintext_value = "foo"
-				visibility      = "private"
+				secret_name = "org_dep_secret_1_%s"
+				value       = "foo"
+				visibility  = "private"
 			}
 		`, randomID)
 

diff --git a/github/data_source_github_dependabot_secrets_test.go b/github/data_source_github_dependabot_secrets_test.go
@@ -20,9 +20,9 @@ func TestAccGithubDependabotSecretsDataSource(t *testing.T) {
 			}
 
 			resource "github_dependabot_secret" "test" {
-				secret_name 		= "dep_secret_1"
-				repository  		= github_repository.test.name
-				plaintext_value = "foo"
+				secret_name = "dep_secret_1"
+				repository  = github_repository.test.name
+				value       = "foo"
 			}
 		`, repoName)
 

diff --git a/github/resource_github_actions_environment_secret.go b/github/resource_github_actions_environment_secret.go
@@ -54,22 +54,41 @@ func resourceGithubActionsEnvironmentSecret() *schema.Resource {
 				Type:          schema.TypeString,
 				Optional:      true,
 				Computed:      true,
-				ConflictsWith: []string{"plaintext_value"},
+				RequiredWith:  []string{"value_encrypted"},
+				ConflictsWith: []string{"value", "plaintext_value"},
 				Description:   "ID of the public key used to encrypt the secret.",
 			},
+			"value": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				Sensitive:    true,
+				ExactlyOneOf: []string{"value", "value_encrypted", "encrypted_value", "plaintext_value"},
+				Description:  "Plaintext value to be encrypted.",
+			},
+			"value_encrypted": {
+				Type:             schema.TypeString,
+				Optional:         true,
+				Sensitive:        true,
+				ExactlyOneOf:     []string{"value", "value_encrypted", "encrypted_value", "plaintext_value"},
+				ValidateDiagFunc: validation.ToDiagFunc(validation.StringIsBase64),
+				Description:      "Value encrypted with the GitHub public key, defined by key_id, in Base64 format.",
+			},
 			"encrypted_value": {
 				Type:             schema.TypeString,
 				Optional:         true,
-				ExactlyOneOf:     []string{"encrypted_value", "plaintext_value"},
+				Sensitive:        true,
+				ExactlyOneOf:     []string{"value", "value_encrypted", "encrypted_value", "plaintext_value"},
 				ValidateDiagFunc: validation.ToDiagFunc(validation.StringIsBase64),
 				Description:      "Encrypted value of the secret using the GitHub public key in Base64 format.",
+				Deprecated:       "Use value_encrypted and key_id.",
 			},
 			"plaintext_value": {
 				Type:         schema.TypeString,
 				Optional:     true,
 				Sensitive:    true,
-				ExactlyOneOf: []string{"encrypted_value", "plaintext_value"},
+				ExactlyOneOf: []string{"value", "value_encrypted", "encrypted_value", "plaintext_value"},
 				Description:  "Plaintext value of the secret to be encrypted.",
+				Deprecated:   "Use value.",
 			},
 			"created_at": {
 				Type:        schema.TypeString,
@@ -112,7 +131,7 @@ func resourceGithubActionsEnvironmentSecretCreate(ctx context.Context, d *schema
 	envName := d.Get("environment").(string)
 	secretName := d.Get("secret_name").(string)
 	keyID := d.Get("key_id").(string)
-	encryptedValue := d.Get("encrypted_value").(string)
+	encryptedValue, _ := resourceKeysGetOk[string](d, "value_encrypted", "encrypted_value")
 
 	escapedEnvName := url.PathEscape(envName)
 
@@ -134,7 +153,7 @@ func resourceGithubActionsEnvironmentSecretCreate(ctx context.Context, d *schema
 	}
 
 	if len(encryptedValue) == 0 {
-		plaintextValue := d.Get("plaintext_value").(string)
+		plaintextValue, _ := resourceKeysGetOk[string](d, "value", "plaintext_value")
 
 		encryptedBytes, err := encryptPlaintext(plaintextValue, publicKey)
 		if err != nil {
@@ -239,7 +258,7 @@ func resourceGithubActionsEnvironmentSecretUpdate(ctx context.Context, d *schema
 	envName := d.Get("environment").(string)
 	secretName := d.Get("secret_name").(string)
 	keyID := d.Get("key_id").(string)
-	encryptedValue := d.Get("encrypted_value").(string)
+	encryptedValue, _ := resourceKeysGetOk[string](d, "value_encrypted", "encrypted_value")
 
 	escapedEnvName := url.PathEscape(envName)
 
@@ -255,7 +274,7 @@ func resourceGithubActionsEnvironmentSecretUpdate(ctx context.Context, d *schema
 	}
 
 	if len(encryptedValue) == 0 {
-		plaintextValue := d.Get("plaintext_value").(string)
+		plaintextValue, _ := resourceKeysGetOk[string](d, "value", "plaintext_value")
 
 		encryptedBytes, err := encryptPlaintext(plaintextValue, publicKey)
 		if err != nil {

diff --git a/github/resource_github_actions_environment_secret_migration_test.go b/github/resource_github_actions_environment_secret_migration_test.go
@@ -20,19 +20,19 @@ package github
 // 		{
 // 			testName: "migrates v0 to v1",
 // 			rawState: map[string]any{
-// 				"id":          "my-repo:my-environment:MY_SECRET",
-// 				"repository":  "my-repo",
-// 				"environment": "my-environment",
-// 				"secret_name": "MY_SECRET",
-// 				"value":       "my-value",
+// 				"id":              "my-repo:my-environment:MY_SECRET",
+// 				"repository":      "my-repo",
+// 				"environment":     "my-environment",
+// 				"secret_name":     "MY_SECRET",
+// 				"plaintext_value": "my-value",
 // 			},
 // 			want: map[string]any{
-// 				"id":            "my-repo:my-environment:MY_SECRET",
-// 				"repository":    "my-repo",
-//				"repository_id": 123456,
-// 				"environment":   "my-environment",
-// 				"secret_name":   "MY_SECRET",
-// 				"value":         "my-value",
+// 				"id":              "my-repo:my-environment:MY_SECRET",
+// 				"repository":      "my-repo",
+//				"repository_id":   123456,
+// 				"environment":     "my-environment",
+// 				"secret_name":     "MY_SECRET",
+// 				"plaintext_value": "my-value",
 // 			},
 // 			shouldError: false,
 // 		},