To avoid hardcoding secrets in your Postman environment file, you can inject GitHub secrets into the Postman environment JSON during the GitHub Actions workflow using jq or sed. First, store your API key in secrets.TEST_API_KEY , then read the environment file, replace the value of ApiKey with the secret, and pass that file to Newman. For example, add a step like: name: Inject API Key into Environment run: | jq '.values |= map(if .key == "ApiKey" then .value = env.TEST_API_KEY else . end)' Test-env.postman_environment.json > env_with_secret.json env: TEST_API_KEY: ${{ secrets.TEST }}, then run: name: Run Newman run: newman run collection.json -e env_with_secret.json