update README

README.md

@@ -22,3 +22,25 @@ Where:
 - `<domain>`: Domain of your pacco instance
 - `<token>`: Token of your user
 - `<gpg_key>`: GPG key used to sign the package
+
+### Using Secrets
+You can pass in sensitive values via secrets.
+
+```yml
+when:
+  - event: push
+    branch: main
+
+steps:
+  - name: "PKGBUILD"
+    image: git.hydrar.de/jmarya/pacco-build:latest
+    commands:
+      - buildpkg <repo> <arch> <domain> "$TOKEN" "$KEY"
+    environment:
+      TOKEN:
+        from_secret: pacco_token
+      KEY:
+        from_secret: gpg_key
+```
+
+> **Note:** The passed GPG Key needs to be a private key in ASCII Armor and every newline escaped with `\n`