2.9 KiB
Secret Variables
this feature is still considered experimental
Drone allows you to store secret variables in an encrypted .drone.sec
file in the root of your repository. This is useful when your build requires sensitive information that should not be stored in plaintext in your .drone.yml
file.
An example .drone.sec
yaml file, prior to being encryped:
checksum: f63561783e550ccd21663d13eaf6a4d252d84147
environment:
- HEROKU_TOKEN=pa$$word
To encrypt the above yaml file
- navigate to your repository settings
- click the section labeled secret variables
- enter the plaintext yaml string in the textarea
- click the encrypt button
An encrypted string is returned to the browser. This string should be copied and pasted into a .drone.sec
file in the root of your repository, alongside your .drone.yml
file.
Environment
The environment
section of the .drone.sec
file is a list of secret variables that get injected into your .drone.yml
file at runtime using the $$
notation. Secret variables are not injected as environment variables. Instead, we use a simple find and replace algorithm.
An example .drone.yml
expecting the HEROKU_TOKEN
private variable:
build:
image: golang
commands:
- go get
- go build
- go test
deploy:
heroku:
app: pied_piper
token: $$HEROKU_TOKEN
Substitution
A subset of bash string substitution operations are emulated:
$$param
parameter substitution$${param}
parameter substitution (same as above)"$$param"
parameter substitution with escaping$${param:pos}
parameter substition with substring$${param:pos:len}
parameter substition with substring$${param=default}
parameter substition with default$${param##prefix}
parameter substition with prefix removal$${param%%suffix}
parameter substition with suffix removal$${param/old/new}
parameter substition with find and replace
Pull Requests
Secret variables are not injected into to the build section of the .drone.yml
if your repository is public and the build is a pull request. This is for security purposes to prevent a malicious pull request from leaking your secrets.
Please note that you may still want secrets available to plugins when building a pull request. This is possible if you include a checksum of the .drone.yml
file in your .drone.sec
file.
Checksum
The checksum
field in the .drone.yml
is a sha of your .drone.yml
file. It is optional, but highly recommended. The checksum
is used to verify the integrity of your .drone.yml
file. If the checksum does not match, secret variables are not injected into your Yaml.
Generate a checksum on OSX or Linux:
$ shasum -a 256 .drone.yml
f63561783e550ccd21663d13eaf6a4d252d84147 .drone.yml
Generate a checksum on Windows with powershell:
$ (Get-FileHash .\.drone.yml -Algorithm SHA256).Hash.ToLower()