Skip to content

Secrets

Secrets are resolved at runtime and never written to run logs. There are two scopes:

Scope File Purpose
Setup-wide pipelines/secrets.yaml Shared secrets available to every pipeline
Pipeline-specific pipelines/<name>/secrets.yaml Secrets for one pipeline; override setup-wide values

When a pipeline references a secret, the pipeline-specific file is checked first. If the key is not found there, the setup-wide file is consulted. If the key is absent from both, the run fails.

Setup-wide secrets

Place credentials shared by multiple pipelines in pipelines/secrets.yaml:

secrets:
  corp_ca:
    type: ca_bundle
    bundle_file: /etc/ssl/certs/corp-ca.pem
  deploy_token:
    type: https_token
    token: ghp_xxxxxxxxxxxxxxxxxxxx

Any pipeline can reference these by name. A pipeline-specific secrets.yaml with the same key takes precedence.

Warning

Add pipelines/secrets.yaml to .gitignore. Never commit credentials to version control.

Pipeline-specific secrets

Each pipeline has an optional secrets.yaml file located at:

pipelines/<pipeline-name>/secrets.yaml

File structure

All secrets must be defined under the root-level secrets key:

secrets:
  my_token:
    type: https_token
    token: ghp_xxxxxxxxxxxxxxxxxxxx

Referencing secrets in the DSL

Use the secret name (the key under secrets) as the value of secret, ca_bundle, or certificate attributes in SOURCE/TARGET blocks:

SOURCE git
  url     https://github.com/org/repo.git
  branch  main
  secret  my_token     # references the "my_token" key in secrets.yaml

Secret types

https_token

Personal access token for HTTPS authentication.

secrets:
  my_token:
    type: https_token
    token: ghp_xxxxxxxxxxxxxxxxxxxx

https_basic

Username and password for HTTPS basic authentication.

secrets:
  my_creds:
    type: https_basic
    username: myuser
    password: mypassword

ssh_key

SSH private key, either as a path to a file or as inline PEM content.

secrets:
  my_ssh:
    type: ssh_key
    key_file: /home/user/.ssh/id_ed25519   # path to key file

Or with the key content embedded directly:

secrets:
  my_ssh:
    type: ssh_key
    key: |
      -----BEGIN OPENSSH PRIVATE KEY-----
      ...
      -----END OPENSSH PRIVATE KEY-----

ca_bundle

Custom CA certificate bundle for TLS verification.

secrets:
  corp_ca:
    type: ca_bundle
    bundle_file: /etc/ssl/certs/corp-ca.pem   # path to bundle file

Or with inline PEM content:

secrets:
  corp_ca:
    type: ca_bundle
    bundle: |
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----

Use this as the ca_bundle attribute on an endpoint:

SOURCE git
  url        https://internal.git.corp/repo.git
  branch     main
  ca_bundle  corp_ca

certificate

Client certificate and key for mutual TLS (mTLS).

secrets:
  client_cert:
    type: certificate
    cert_file: /etc/ssl/certs/client.pem
    key_file:  /etc/ssl/private/client.key

Use this as the certificate attribute on an endpoint.

Warning

Add secrets.yaml to .gitignore. Never commit credentials to version control.