Acho que será o caminho: https://docs.github.com/pt/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets
https://chaosfreakblog.wordpress.com/2013/06/21/gpg-problem-with-the-agent-no-pinentry-solved/
Usar com Nix? https://github.com/actions/upload-artifact