Support secrets in cli exec (#5374)

cli/exec/exec.go

@@ -18,6 +18,7 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"maps"
 	"os"
 	"path"
 	"path/filepath"
@@ -146,9 +147,9 @@ func execWithAxis(ctx context.Context, c *cli.Command, file, repoPath string, ax
 	}
 
 	environ := metadata.Environ()
+	maps.Copy(environ, metadata.Workflow.Matrix)
 	var secrets []compiler.Secret
-	for key, val := range metadata.Workflow.Matrix {
+	for key, val := range c.StringMap("secrets") {
-		environ[key] = val
 		secrets = append(secrets, compiler.Secret{
 			Name:  key,
 			Value: val,

cli/exec/flags.go

@@ -64,6 +64,11 @@ var flags = []cli.Flag{
 		Usage:   "backend engine to run pipelines on",
 		Value:   "auto-detect",
 	},
+	&cli.StringMapFlag{
+		Sources: cli.EnvVars("WOODPECKER_SECRETS"),
+		Name:    "secrets",
+		Usage:   "map of secrets, ex. 'secret=\"val\",secret2=\"value2\"'",
+	},
 
 	//
 	// backend options for pipeline compiler

pipeline/frontend/yaml/compiler/option.go

@@ -15,6 +15,7 @@
 package compiler
 
 import (
+	"maps"
 	"net/url"
 	"path"
 	"strings"
@@ -74,9 +75,7 @@ func WithMetadata(metadata metadata.Metadata) Option {
 	return func(compiler *Compiler) {
 		compiler.metadata = metadata
 
-		for k, v := range metadata.Environ() {
+		maps.Copy(compiler.env, metadata.Environ())
-			compiler.env[k] = v
-		}
 	}
 }
 
@@ -143,9 +142,7 @@ func WithLocal(local bool) Option {
 // added by default to every container in the pipeline.
 func WithEnviron(env map[string]string) Option {
 	return func(compiler *Compiler) {
-		for k, v := range env {
+		maps.Copy(compiler.env, env)
-			compiler.env[k] = v
-		}
 	}
 }