diff --git a/docs/docs/20-usage/40-secrets.md b/docs/docs/20-usage/40-secrets.md index 613a03fdb..255ac9bf2 100644 --- a/docs/docs/20-usage/40-secrets.md +++ b/docs/docs/20-usage/40-secrets.md @@ -4,6 +4,15 @@ Woodpecker provides the ability to store named parameters external to the YAML c Secrets are exposed to your pipeline steps and plugins as uppercase environment variables and can therefore be referenced in the commands section of your pipeline. +Woodpecker provides three different levels to add secrets to your pipeline. The following list shows the priority of the different levels. If a secret is defined in multiple levels, will be used following this priorities: Repository secrets > Organization secrets > Global secrets. + +1. **Repository secrets**: They are available to all pipelines of an repository. +2. **Organization secrets**: They are available to all pipelines of an organization. +3. **Global secrets**: Can be configured by an instance admin. + They are available to all pipelines of the **whole** Woodpecker instance and should therefore **only** be used for secrets that are allowed to be read by **all** users. + +## Usage + ```diff steps: docker: @@ -45,7 +54,7 @@ steps: ## Adding Secrets -Secrets are added to the Woodpecker secret store on the UI or with the CLI. +Secrets are added to the Woodpecker in the UI or with the CLI. ## Alternate Names @@ -88,7 +97,7 @@ If you enable the option "Only available for plugins", always set an image filte If you only set an image filter, you could still access the secret using the same image and by specifying a command that prints it. ::: -## Examples +## CLI Examples Create the secret using default settings. The secret will be available to all images in your pipeline, and will be available to all push, tag, and deployment events (not pull request events). diff --git a/server/plugins/secrets/builtin.go b/server/plugins/secrets/builtin.go index 98edd81f5..548e41155 100644 --- a/server/plugins/secrets/builtin.go +++ b/server/plugins/secrets/builtin.go @@ -57,7 +57,7 @@ func (b *builtin) SecretListPipeline(repo *model.Repo, _ *model.Pipeline, p *mod {Global: true}, } { for _, secret := range s { - if secret.Global() == cond.Global && secret.Organization() == cond.Organization { + if secret.Global() != cond.Global || secret.Organization() != cond.Organization { continue } if _, ok := uniq[secret.Name]; ok { diff --git a/server/plugins/secrets/builtin_test.go b/server/plugins/secrets/builtin_test.go new file mode 100644 index 000000000..eb1ec4f65 --- /dev/null +++ b/server/plugins/secrets/builtin_test.go @@ -0,0 +1,100 @@ +// Copyright 2023 Woodpecker Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package secrets_test + +import ( + "context" + "testing" + + "github.com/franela/goblin" + "github.com/stretchr/testify/mock" + "github.com/woodpecker-ci/woodpecker/server/model" + "github.com/woodpecker-ci/woodpecker/server/plugins/secrets" + mocks_store "github.com/woodpecker-ci/woodpecker/server/store/mocks" +) + +func TestSecretListPipeline(t *testing.T) { + g := goblin.Goblin(t) + ctx := context.Background() + mockStore := mocks_store.NewStore(t) + + // global secret + globalSecret := &model.Secret{ + ID: 1, + OrgID: 0, + RepoID: 0, + Name: "secret", + Value: "value-global", + } + + // org secret + orgSecret := &model.Secret{ + ID: 2, + OrgID: 1, + RepoID: 0, + Name: "secret", + Value: "value-org", + } + + // repo secret + repoSecret := &model.Secret{ + ID: 3, + OrgID: 1, + RepoID: 1, + Name: "secret", + Value: "value-repo", + } + + g.Describe("Priority of secrets", func() { + g.It("should get the repo secret", func() { + mockStore.On("SecretList", mock.Anything, mock.Anything, mock.Anything).Once().Return([]*model.Secret{ + globalSecret, + orgSecret, + repoSecret, + }, nil) + + s, err := secrets.New(ctx, mockStore).SecretListPipeline(&model.Repo{}, &model.Pipeline{}, &model.ListOptions{}) + g.Assert(err).IsNil() + + g.Assert(len(s)).Equal(1) + g.Assert(s[0].Value).Equal("value-repo") + }) + + g.It("should get the org secret", func() { + mockStore.On("SecretList", mock.Anything, mock.Anything, mock.Anything).Once().Return([]*model.Secret{ + globalSecret, + orgSecret, + }, nil) + + s, err := secrets.New(ctx, mockStore).SecretListPipeline(&model.Repo{}, &model.Pipeline{}, &model.ListOptions{}) + g.Assert(err).IsNil() + + g.Assert(len(s)).Equal(1) + g.Assert(s[0].Value).Equal("value-org") + }) + + g.It("should get the global secret", func() { + mockStore.On("SecretList", mock.Anything, mock.Anything, mock.Anything).Once().Return([]*model.Secret{ + globalSecret, + }, nil) + + s, err := secrets.New(ctx, mockStore).SecretListPipeline(&model.Repo{}, &model.Pipeline{}, &model.ListOptions{}) + g.Assert(err).IsNil() + + g.Assert(len(s)).Equal(1) + g.Assert(s[0].Value).Equal("value-global") + }) + }) +}