Per Organization

Organization secrets are used to store and manage sensitive information, such as passwords, tokens, and ssh keys. Storing this information in a secret is considered safer than storing it in your configuration file. Organization secrets can be used by any repository that belongs to the named organization.

Please note this feature is disabled on Drone Cloud. This feature is only available when self-hosting.
The system administrator role is required to create, update or delete organization secrets.

Create organization secrets using the command line tools:

$ drone orgsecret add [organization] [name] [data]
$ drone orgsecret add octocat docker_password pa55word

Source environment variables from named organization secrets:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
kind: pipeline
name: default

steps:
- name: build
  image: alpine
  environment:
    USERNAME:
      from_secret: docker_username
    PASSWORD:
      from_secret: docker_password

Source plugin settings from named organization secrets:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
kind: pipeline
name: default

steps:
- name: build
  image: plugins/docker
  settings:
    repo: octocat/hello-world
    username:
      from_secret: docker_username
    password:
      from_secret: docker_password

Pull Requests

Secrets are not exposed to pull requests by default. This prevents a bad actor from sending a pull request and attempting to expose your secrets. You can override this default behavior, at your own risk, using the --allow-pull-request flag.