Use secrets in scripts or profiles

[noahtalerman]

Goal

User story
As an IT admin,
I want to make sure that my GitHub or GitLab secrets (e.g. API tokens or software license keys) used in scripts and profiles are not displayed when those are viewed or downloaded
so that I can be sure that secrets are hidden until they get on the hosts.

Key result

Deliver customer promises and prioritized requests

Original requests

• 19377

Context

• Product designer: @marko-lisica

Changes

Product

• [ ] UI changes: Figma link
• [ ] Other changes:
  • Make sure that GitHub and GitLab variables used in profiles and scripts are not visible to the users in Fleet UI or API or when script and profile is downloaded from Fleet (UI or API).
  • Variable name should persist in UI when profile/script is viewed or downloaded.
  • Variable should be replaced with real value only when it's sent to a host.
  • Consider this feature (option to add secrets in Fleet UI) that we might want to implement in the future.
• [ ] CLI (fleetctl) usage changes: No changes.
• [ ] YAML changes: No changes.
• [ ] REST API changes: No changes.
• [ ] Fleet's agent (fleetd) changes: No changes.
• [ ] Activity changes: No changes.
• [ ] Permissions changes: No changes.
• [ ] Changes to paid features or tiers: Fleet Free and Premium
• [ ] Other reference documentation changes: Make sure that we explain how to escape variables (\$) in YAML docs under profiles and scripts sections.
• [ ] Once shipped, requester has been notified

Engineering

• [ ] Feature guide changes: TODO
• [ ] Database schema migrations: TODO
• [ ] Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Requires load testing: TODO
• Risk level: Low / High TODO
• Risk description: TODO

Manual testing steps

1. Step 1
2. Step 2
3. Step 3

Testing notes

Confirmation

1. [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
2. [ ] QA (@____): Added comment to user story confirming successful completion of QA.

[noahtalerman]

FYI @marko-lisica, now that the next estimation is scheduled for next week (when George is back), I assigned this story and the other story (#23344) in "Ready to spec" back to George.

I think we assigned @lukeheath to these stories when we were still planning on having estimation today.