lox
commented
6 years ago I guess it might also be a false sense of security, if I started relying on that to happen but forgot one time, or someone else doesn't realise it's in play and thought it was automatic, and doesn't add a new secret to the list.
Yeah, that's generally our thinking. Our preference is to provide tools and recommended best practices that make it hard to ever disclose them to the build log in the first place.
I noticed that
BUILDKITE_AGENT_TOKENis****'d away. I guess that's possible since either the agent already knows it, and it happens there, or the web-side of things knows it and it happens there instead.In relation to #360 I'd really like this to apply to the other scary secrets that CI machines so often get their bits on.
However, I'm not really sure how to go about it, without also perhaps consolidating my list of secrets into a single easy-to-grab location. I mean, if the agent can be configured with, say, a list of strings to turn into
****that's great, but now that list also needs to be secured :inception:.I guess it might also be a false sense of security, if I started relying on that to happen but forgot one time, or someone else doesn't realise it's in play and thought it was automatic, and doesn't add a new secret to the list.