[refactor] dont store secrets in task queue / fetch it on task asign

woodpecker-ci / woodpecker

Woodpecker is a simple, yet powerful CI/CD engine with great extensibility.

https://woodpecker-ci.org

Apache License 2.0

4.32k stars 373 forks source link

[refactor] dont store secrets in task queue / fetch it on task asign #2851

Open 6543 opened 1 year ago

6543 commented 1 year ago

currently the whole workflow config for the backend is stored in the queue.

This includes the secrets!

We should inject them at the server if an agent do pull that workflow out of the queue instead. So we dont have to worry about leaking via e.g. redis.

This also allow to e.g. let an workflow alter secrets before the next workflow fetch it ... and so on

6543 commented 1 month ago

first we have to move the logic that we store the complete backend config of a workflow in queue ... :/

6543 commented 2 weeks ago

NOTE: also with #3723 we might consider to do so for them too ...