From 12cd6081505a6d4448b89634decec3cf91c56a7f Mon Sep 17 00:00:00 2001
From: qwerty287 <80460567+qwerty287@users.noreply.github.com>
Date: Thu, 31 Jul 2025 07:13:07 +0300
Subject: [PATCH] Support secrets in `cli exec` (#5374)

---
 cli/exec/exec.go                          | 5 +++--
 cli/exec/flags.go                         | 5 +++++
 pipeline/frontend/yaml/compiler/option.go | 9 +++------
 3 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/cli/exec/exec.go b/cli/exec/exec.go
index 43bd57388..09db3cbea 100644
--- a/cli/exec/exec.go
+++ b/cli/exec/exec.go
@@ -18,6 +18,7 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"maps"
 	"os"
 	"path"
 	"path/filepath"
@@ -146,9 +147,9 @@ func execWithAxis(ctx context.Context, c *cli.Command, file, repoPath string, ax
 	}
 
 	environ := metadata.Environ()
+	maps.Copy(environ, metadata.Workflow.Matrix)
 	var secrets []compiler.Secret
-	for key, val := range metadata.Workflow.Matrix {
-		environ[key] = val
+	for key, val := range c.StringMap("secrets") {
 		secrets = append(secrets, compiler.Secret{
 			Name:  key,
 			Value: val,
diff --git a/cli/exec/flags.go b/cli/exec/flags.go
index b3368a923..0f7afb555 100644
--- a/cli/exec/flags.go
+++ b/cli/exec/flags.go
@@ -64,6 +64,11 @@ var flags = []cli.Flag{
 		Usage:   "backend engine to run pipelines on",
 		Value:   "auto-detect",
 	},
+	&cli.StringMapFlag{
+		Sources: cli.EnvVars("WOODPECKER_SECRETS"),
+		Name:    "secrets",
+		Usage:   "map of secrets, ex. 'secret=\"val\",secret2=\"value2\"'",
+	},
 
 	//
 	// backend options for pipeline compiler
diff --git a/pipeline/frontend/yaml/compiler/option.go b/pipeline/frontend/yaml/compiler/option.go
index 20b419364..737dfddac 100644
--- a/pipeline/frontend/yaml/compiler/option.go
+++ b/pipeline/frontend/yaml/compiler/option.go
@@ -15,6 +15,7 @@
 package compiler
 
 import (
+	"maps"
 	"net/url"
 	"path"
 	"strings"
@@ -74,9 +75,7 @@ func WithMetadata(metadata metadata.Metadata) Option {
 	return func(compiler *Compiler) {
 		compiler.metadata = metadata
 
-		for k, v := range metadata.Environ() {
-			compiler.env[k] = v
-		}
+		maps.Copy(compiler.env, metadata.Environ())
 	}
 }
 
@@ -143,9 +142,7 @@ func WithLocal(local bool) Option {
 // added by default to every container in the pipeline.
 func WithEnviron(env map[string]string) Option {
 	return func(compiler *Compiler) {
-		for k, v := range env {
-			compiler.env[k] = v
-		}
+		maps.Copy(compiler.env, env)
 	}
 }