diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 0a5c00a..012279f 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -32,6 +32,11 @@ on:
         required: false
         type: string
         default: ""
+      secrets-environment:
+        description: Environment to use to access secrets
+        required: false
+        type: string
+        default: ""
 
     outputs:
       version:
@@ -72,6 +77,8 @@ jobs:
     name: ${{ matrix.file }}
     needs: [prepare]
     runs-on: ubuntu-latest
+    environment:
+      name: ${{ inputs.secrets-environment }}
     strategy:
       fail-fast: false
       max-parallel: 3
@@ -80,6 +87,10 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v5.0.0
+      - name: Configure secrets.yaml file
+        if: ${{ inputs.secrets-environment != '' }}
+        id: decode-base64
+        run: echo "${{ secrets.ESPHOME_SECRETS_YAML }}" | base64 -d > $(dirname ${{ matrix.file }})/secrets.yaml
       - name: Replace project version
         run: |
           sed -i "s/version: dev/version: ${{ needs.prepare.outputs.version }}/g" ${{ matrix.file }}
diff --git a/README.md b/README.md
index eb0af87..6bc5dfd 100644
--- a/README.md
+++ b/README.md
@@ -15,3 +15,25 @@ This repository contains workflows to be used by other repositories.
 ## Usage
 
 See https://github.com/esphome/esphome-project-template for usage of these workflows.
+
+## Secrets file
+
+The `secrets.yaml` file can be injected into the build as a GitHub Action secret.
+
+To do so, create a file like something below:
+
+```yaml
+wifi_ssid: MyWiFi
+wifi_password: mywifipassword
+
+# For more on this, see docs: https://esphome.io/components/api.html#configuration-variables
+encryption_key: "QQXcWdXZzCuNT3tTtU33nTiqvxkbR1nWIf4lh6W8MA0="
+```
+
+Then base64 encode it and upload it the environment provided with the name `ESPHOME_SECRETS_YAML` and the value base64 encoded.
+
+On macOS, to base64 encode quickly:
+
+```
+pbpaste | base64 | pbcopy
+```