Per Repository

Repository secrets are used to store and manage sensitive information, such as passwords, tokens, and ssh keys. Storing this information in a secret is considered safer than storing it in your configuration file in plain text.

Push access or administrator access is required to create, update or delete repository secrets.

Manage repository secrets from the repository settings screen:

Repository Secrets

Source environment variables from named secrets:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
kind: pipeline
name: default

steps:
- name: build
  image: alpine
  environment:
    USERNAME:
      from_secret: docker_username
    PASSWORD:
      from_secret: docker_password

Source plugin settings from named secrets:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
kind: pipeline
name: default

steps:
- name: build
  image: plugins/docker
  environment:
    repo: octocat/hello-world
    username:
      from_secret: docker_username
    password:
      from_secret: docker_password

Pull Requests

Secrets are not exposed to pull requests by default. This prevents a bad actor from sending a pull request and attempting to expose your secrets. You can override this default behavior, at your own risk, by checking Allow Pull Requests when you create your secret.