Handling and managing sensitive data is extremely important in the CI/CD process. This type of data shouldn't be kept in the repository to avoid unnecessary risk. You can, however, store it in Buddy in the form of variables, en elegant an practical solution for every developer.
So far, there were two types of variables:
- Environment variables – allow to define secrets with varying levels of access and use them in actions with an appropriate key
- SSH keys – keys with unique name and value added to the
~/.ssh/directory in every build action. You can also use SSH keys in SFTP, SSH, and Rsync actions.
This week, we are adding a new type of variable type: file. This feature allows for adding files to the variable (e.g. config files, keystores, or JSON keys), which then can be used in build actions.
Adding the variable
In the pipeline's Variables tab, add a new variable and select File in the Type dropdown menu. The last step is uploading the file and providing a key so you can identify it:
- Scope – you can specify who and where can use the file. For example, you can set whether the file is restricted to single pipeline, or allow it in the entire workspace
- Encryption – with this selected, the file contents will be blurred, for example when someone runs a
catcommand over it in a build action. Thanks to this, the file contents will never show up in the logs
- State – changing the state to Settable will change the file value in the variables whenever the file content is altered by a build action
The contents of all variables in Buddy are always kept in an encrypted form regardless if the encryption is enabled or not. This option simply keeps the variable contents blurred in the execution logs.
This type of variable is kept as a file on the container's drive in every build action. The file's localization is saved as an ENV VAR with the key provided during configuration. To check the location of the file on the disk, simply run
For example: if you defined a config file as a variable and you want to use it in the working directory of the build, you just need to run
mv $MY_FILE config.json:
Make sure to delete the files copied to the pipeline's filesystem after the build. Otherwise, it will remain in the filesystem and can be downloaded by anyone that can access it.
We are currently working on expanding the functionality of this type of variable to other kinds of actions and developing new ways of managing your secrets. Remember to subscribe to our blog and follow us on Twitter to be always up-to-date with the new Buddy features.