How to use secrets in plugins?

[HerHde]

Hey there,

I'm trying to set up the Drone Gitea plugin, using credentials from secrets, but I can't figure out how to reference a secret as a value correctly. I tried out setting api_key to $gitea_token $GITEA_TOKEN, ${GITEA_TOKEN} and with an attribute from_secret, trying to adapt to the different syntax compared to Drone:

  release:
    image: plugins/gitea-release
    secrets: [ gitea_token ]
    api_key:
      from_secret: gitea_token

Could you help me out on this, please? How do I use secrets for api_key?

[6543]

did you had a look into https://woodpecker-ci.org/docs/usage/secrets ?

[HerHde]

Yes, I tried the docs about secrets, tried to adapt some things from environment docs and checked the Drone docs to get some clues. It works perfectly in a commands: block. I also checked the secret type (it's set for tags).

I forgot to mention that I'm using the latest woodpecker docker images. The code block is just part of a stage from my .woodpecker.yml, which is only executed for tags.

"Debugging" it with title: ${GITEA_TOKEN} - ${CI} resolved to - drone, so the secret remained empty there, too, but I'm mainly guessing how to adress it, anyhow.

[siddweiker]

@HerHde api_key should be in the settings block per drone docs (edit: settings block is not supported in woodpecker currently). Also double check and make sure the secret has been created in the Secrets tab for your repo in woodpecker.

[HerHde]

Yeah, it didn't worked in a settings block, but only on the same layer as imageetc., like the Woodpecker docs states. (Imho that's not the best design change, though. Edit: I just saw #464, where you're considering this). I gave it another try with a hardcoded token. Using a settings block it fails with `time="[now]" level=fatal msg="You must provide an API key"´, otherwise it works fine.

And I checked the secrets tab, it exists and I can use it in a commands block.

[HerHde]

By the way, sorry for not using an issue template, but I felt Q&A was most appropriate. Discord however isn't for me personally.

[anbraten]

I will have a look at how the secrets are passed to the config, but I have the feeling that they are just passed as normal environment variables and therefore can not be used outside the step

[siddweiker]

Yeah, it didn't worked in a settings block, but only on the same layer as imageetc., like the Woodpecker docs state.

Thanks for pointing that out, I had totally missed it.

[HerHde]

May I push and ask for anything new?

[reivilibre]

Hi, maybe this can help.

Secrets are just environment variables and so are plugin parameters, so with a little bit of trickery you can map them between each other.

Here's an example of the docker plugin that I've been using.

pipeline:
  dockerImage:
    image: plugins/docker
    dockerfile: "${IMAGE_NAME}/Dockerfile"
    repo: "docker.example.org/me/${IMAGE_NAME}"
    registry: "docker.example.org"
    tags:
      - latest
    secrets:
      - source: docker_registry_username
        target: plugin_username
      - source: docker_registry_password
        target: plugin_password

The key is to use secrets with the source and target mappings.

For your example, specify the secret in the web UI as GITEA_TOKEN (yes, uppercase!), then use:

  release:
    image: plugins/gitea-release
    secrets:
      - source: gitea_token
        target: plugin_api_key

(yes, you write them in lowercase in the secrets block.)

I noticed this because the example plugin shows that plugin parameters are just PLUGIN_XXX env vars and the secrets documentation shows you how to use alternate names. I don't think this is a very nice way of doing it, but it works today. It might be sensible for a more 'proper' way of doing this to be added to Woodpecker's YAML syntax but I didn't see one so far.

Edit: if you wouldn't mind, it might be kind to update the issue title so it mentions using secrets in plugins (for the benefit of people searching later).

[6543]

@reivilibre what title do you propose? & pulls do documentation are always welcome ;)

[HerHde]

Thank you @reivilibre, this works indeed!

[markkrj]

@6543 and @jolheiser I think #604 closes this? Or you wait for 0.15 to be released?

[6543]

yes was closed by #604 - way better than to do it atm :)

PS: thanks for the ping!