mirror of
https://github.com/woodpecker-ci/woodpecker.git
synced 2024-12-04 23:56:30 +00:00
79 lines
2.9 KiB
Markdown
79 lines
2.9 KiB
Markdown
# Secret Variables
|
|
|
|
> this feature is still considered experimental
|
|
|
|
Drone allows you to store secret variables in an encrypted `.drone.sec` file in the root of your repository. This is useful when your build requires sensitive information that should not be stored in plaintext in your `.drone.yml` file.
|
|
|
|
An example `.drone.sec` yaml file, prior to being encryped:
|
|
|
|
```yaml
|
|
checksum: f63561783e550ccd21663d13eaf6a4d252d84147
|
|
environment:
|
|
- HEROKU_TOKEN=pa$$word
|
|
```
|
|
|
|
To encrypt the above yaml file
|
|
|
|
* navigate to your repository settings
|
|
* click the section labeled secret variables
|
|
* enter the plaintext yaml string in the textarea
|
|
* click the encrypt button
|
|
|
|
An encrypted string is returned to the browser. This string should be copied and pasted into a `.drone.sec` file in the root of your repository, alongside your `.drone.yml` file.
|
|
|
|
## Environment
|
|
|
|
The `environment` section of the `.drone.sec` file is a list of secret variables that get injected into your `.drone.yml` file at runtime using the `$$` notation. Secret variables are not injected as environment variables. Instead, we use a simple find and replace algorithm.
|
|
|
|
An example `.drone.yml` expecting the `HEROKU_TOKEN` private variable:
|
|
|
|
```yaml
|
|
build:
|
|
image: golang
|
|
commands:
|
|
- go get
|
|
- go build
|
|
- go test
|
|
|
|
deploy:
|
|
heroku:
|
|
app: pied_piper
|
|
token: $$HEROKU_TOKEN
|
|
```
|
|
|
|
## Substitution
|
|
|
|
A subset of bash string substitution operations are emulated:
|
|
|
|
* `$$param` parameter substitution
|
|
* `$${param}` parameter substitution (same as above)
|
|
* `"$$param"` parameter substitution with escaping
|
|
* `$${param:pos}` parameter substition with substring
|
|
* `$${param:pos:len}` parameter substition with substring
|
|
* `$${param=default}` parameter substition with default
|
|
* `$${param##prefix}` parameter substition with prefix removal
|
|
* `$${param%%suffix}` parameter substition with suffix removal
|
|
* `$${param/old/new}` parameter substition with find and replace
|
|
|
|
## Pull Requests
|
|
|
|
Secret variables are **not** injected into to the build section of the `.drone.yml` if your repository is **public** and the build is a **pull request**. This is for security purposes to prevent a malicious pull request from leaking your secrets.
|
|
|
|
Please note that you may still want secrets available to plugins when building a pull request. This is possible if you include a checksum of the `.drone.yml` file in your `.drone.sec` file.
|
|
|
|
## Checksum
|
|
|
|
The `checksum` field in the `.drone.yml` is a sha of your `.drone.yml` file. It is optional, but highly recommended. The `checksum` is used to verify the integrity of your `.drone.yml` file. If the checksum does not match, secret variables are not injected into your Yaml.
|
|
|
|
Generate a checksum on OSX or Linux:
|
|
|
|
```
|
|
$ shasum -a 256 .drone.yml
|
|
f63561783e550ccd21663d13eaf6a4d252d84147 .drone.yml
|
|
```
|
|
|
|
Generate a checksum on Windows with powershell:
|
|
|
|
```
|
|
$ (Get-FileHash .\.drone.yml -Algorithm SHA256).Hash.ToLower()
|
|
```
|