How are environment variables and secrets managed in CI/CD pipelines?

CI/CD pipelines often need access to sensitive values — API keys, database passwords, cloud credentials — that must never be stored in source code or committed to git. All major CI platforms provide a secrets store: GitHub Actions Secrets, GitLab CI/CD Variables, Jenkins Credentials. These secrets are encrypted at rest, masked in logs, and injected as environment variables into the pipeline at runtime. Best practices include: rotate secrets regularly, use short-lived credentials (AWS OIDC, Workload Identity Federation) rather than long-lived API keys, scope secrets to specific environments or jobs, and use secret scanning tools (GitGuardian, truffleHog) to detect any accidental commits of secrets. Never log environment variables or echo secret values in pipeline steps — CI platforms automatically mask known secret values in logs.