Per Repository

Repository secrets are used to store and manage sensitive information, such as passwords, tokens, and ssh keys. Storing this information in a secret is considered safer than storing it in your configuration file in plain text.

Manage repository secrets from the repository settings screen:

Repository Secrets

Source environment variables from named secrets:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
kind: pipeline
name: default

steps:
- name: build
  image: alpine
  environment:
    USERNAME:
      from_secret: docker_username
    PASSWORD:
      from_secret: docker_password

Source plugin settings from named secrets:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
kind: pipeline
name: default

steps:
- name: build
  image: plugins/docker
  environment:
    repo: octocat/hello-world
    username:
      from_secret: docker_username
    password:
      from_secret: docker_password

Pull Requests

Secrets are not exposed to pull requests by default. This prevents a bad actor from sending a pull request and attempting to expose your secrets. You can override this default behavior, at your own risk, by checking Allow Pull Requests when you create your secret.