Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set scope for secrets #22184

Open
JakobDev opened this issue Dec 20, 2022 · 3 comments
Open

Set scope for secrets #22184

JakobDev opened this issue Dec 20, 2022 · 3 comments
Labels
type/feature Completely new functionality. Can only be merged if feature freeze is not active. type/proposal The new feature has not been accepted yet but needs to be discussed first.

Comments

@JakobDev
Copy link
Contributor

Feature Description

Gitea has now secrets that will be used by the upcoming Actions. It makes sense, to let the User limit the Scope where these Secrets are actually available (on a Pipeline triggered by a Push/PR etc.)

Screenshots

Something like Woodpecker does:
grafik
@JakobDev JakobDev added type/feature Completely new functionality. Can only be merged if feature freeze is not active. type/proposal The new feature has not been accepted yet but needs to be discussed first. labels Dec 20, 2022
@delvh
Copy link
Member

delvh commented Dec 20, 2022

Hmm, do we really need this?
If not even GitHub or GitLab support it, is there really such a huge value in adding it?
This heavily complicates the logic, and I don't think you typically need that fine-grained separation.
I personally am rather against it.

@markkrj
Copy link

markkrj commented Dec 20, 2022

This makes sense, as secrets can be exposed by malicious code in PRs. Gitea also has protected tags and branches, so it makes sense for those as well. GitHub does not allow use of secrets on PRs by default. Only on workflows triggered by specific event (pull_request_target). Does GitLab even has a built-in secret storage? I could not find. They have instructions on how to use Vault as a secret storage for its CI, and it allows for even more granularity than just refs.

@delvh delvh mentioned this issue Dec 22, 2022
Merged
@KN4CK3R
Copy link
Member

KN4CK3R commented Dec 22, 2022

Github does have different "scopes": Actions, Codespaces, Dependabot
If we want to use the secrets for internal logic like mirror credentials we will need different types too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/feature Completely new functionality. Can only be merged if feature freeze is not active. type/proposal The new feature has not been accepted yet but needs to be discussed first.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@KN4CK3R @markkrj @JakobDev @delvh