woodpecker-ci / woodpecker

Woodpecker is a simple, yet powerful CI/CD engine with great extensibility.
https://woodpecker-ci.org
Apache License 2.0
4.23k stars 367 forks source link

[refactor] dont store secrets in task queue / fetch it on task asign #2851

Open 6543 opened 11 months ago

6543 commented 11 months ago

currently the whole workflow config for the backend is stored in the queue.

This includes the secrets!

We should inject them at the server if an agent do pull that workflow out of the queue instead. So we dont have to worry about leaking via e.g. redis.

This also allow to e.g. let an workflow alter secrets before the next workflow fetch it ... and so on

6543 commented 1 day ago

first we have to move the logic that we store the complete backend config of a workflow in queue ... :/