Handling and managing sensitive data is extremely important in the CI/CD process. This type of data shouldn't be kept in the repository to avoid unnecessary risk. You can, however, store it in Buddy in the form of variables, en elegant an practical solution for every developer.

So far, there were two types of variables:

  • Environment variables – allow to define secrets with varying levels of access and use them in actions with an appropriate key
  • SSH keys – keys with unique name and value added to the ~/.ssh/ directory in every build action. You can also use SSH keys in SFTP, SSH, and Rsync actions.

This week, we are adding a new type of variable type: file. This feature allows for adding files to the variable (e.g. config files, keystores, or JSON keys), which then can be used in build actions.

Adding the variable

In the pipeline's Variables tab, add a new variable and select File in the Type dropdown menu. The last step is uploading the file and providing a key so you can identify it:

Adding a new variableAdding a new variable

Additional options:

  • Scope – you can specify who and where can use the file. For example, you can set whether the file is restricted to single pipeline, or allow it in the entire workspace
  • Encryption – with this selected, the file contents will be blurred, for example when someone runs a cat command over it in a build action. Thanks to this, the file contents will never show up in the logs
  • State – changing the state to Settable will change the file value in the variables whenever the file content is altered by a build action

The contents of all variables in Buddy are always kept in an encrypted form regardless if the encryption is enabled or not. This option simply keeps the variable contents blurred in the execution logs.

Use Case

This type of variable is kept as a file on the container's drive in every build action. The file's localization is saved as an ENV VAR with the key provided during configuration. To check the location of the file on the disk, simply run echo $MY_FILE.

For example: if you defined a config file as a variable and you want to use it in the working directory of the build, you just need to run mv $MY_FILE config.json:

Using the variable in the Node actionUsing the variable in the Node action

Make sure to delete the files copied to the pipeline's filesystem after the build. Otherwise, it will remain in the filesystem and can be downloaded by anyone that can access it.

We are currently working on expanding the functionality of this type of variable to other kinds of actions and developing new ways of managing your secrets. Remember to subscribe to our blog and follow us on Twitter to be always up-to-date with the new Buddy features.