Managing secrets in a SourceCraft repository

Using secrets, you can securely store encrypted confidential data, such as passwords, access keys, tokens, and more in the repository.

A secret consists of a key-value pair, where the key is the secret name, and the value, the confidential data.

Creating a secret

  1. Open the SourceCraft home page.
  2. On the Home tab, navigate to Repositories.
  3. Select a repository where you want to create a secret.
  4. Under Repository settings on the repository page, go to Secrets.
  5. On the page with secrets:
    • If you do not have any secrets yet, click New secret.
    • If you already have secrets, click Add secret in the top-right corner.
  6. In the window that opens:
    • In the Name field, enter a name for your secret.
    • In the Secret field, enter a value for your secret.
  7. Click Add secret.

Using the value of a secret in CI/CD

You can use secret values in the repository's CI/CD processes. To do this, in the .sourcecraft/ci.yaml configuration file, specify the secret in ${{ secrets.<secret_name> }} format.

Example

This tutorial provides the .sourcecraft/ci.yaml configuration file for CI/CD, which runs when you create a pull request to the master branch and does the following:

  1. Installs the Yandex Cloud CLI and authenticates as a service account using an authorized key stored in the secret.
  2. Authenticates in Yandex Container Registry from docker using the Docker credential helper.
  3. Builds a Docker image from the Dockerfile file and sends it to Container Registry.
  4. Deploys a container in Yandex Serverless Containers from the built Docker image.
# To run this CI/CD, create the following resources in Yandex Cloud:
# • Yandex Container Registry registry
# • Yandex Serverless Containers container
# • Service account with the serverless-containers.editor, 
#   container-registry.images.pusher, and iam.serviceAccounts.user roles
# • Authorized key to access Container Registry and Serverless Containers

on:
  pull_request:
    - workflows: ci-cd-container-registry-serverless
      filter:
        source_branches: ["**", "!test**"]
        target_branches: "master"

workflows:
  ci-cd-container-registry-serverless:
    tasks:
      - build-push-deploy-serverless
        
tasks:
  - name: build-push-deploy-serverless
    env:
      YC_DOCKER_REGISTRY_URI: cr.yandex/<registry_ID>
      IMAGE_NAME: <image_name>
      YC_SERVERLESS_CONTAINER_NAME: <container_name>
      YC_SERVICE_ACCOUNT_ID: <service_account_ID>
      YC_AUTHORIZED_KEY_JSON: ${{ secrets.<secret_name> }}
      YC_FOLDER_ID: <folder_ID>
    cubes:
      - name: install-yc
        script:
          - curl -o ./yc-install.sh -L https://storage.yandexcloud.net/yandexcloud-yc/install.sh | bash -s -- -a
          - echo 'source /root/yandex-cloud/completion.zsh.inc' >>  ~/.zshrc
          - chmod +x ./yc-install.sh && ./yc-install.sh -i /tmp/yc -n && mv /tmp/yc/bin/yc /usr/bin/yc
          - echo "$YC_AUTHORIZED_KEY_JSON" > key.json
          - yc config profile create sa-profile
          - yc config set service-account-key key.json
          - yc config set format json
          - yc config set folder-id $YC_FOLDER_ID
      
      - name: docker-login
        script:
          - yc container registry configure-docker --profile sa-profile

      - name: docker-build-push
        script:
          - docker build --tag $YC_DOCKER_REGISTRY_URI/$IMAGE_NAME --platform linux/amd64 .
          - docker push $YC_DOCKER_REGISTRY_URI/$IMAGE_NAME:latest
    
      - name: docker-logout
        script:
          - docker logout $YC_DOCKER_REGISTRY_URI

      - name: create-serverless
        script:
          - yc serverless container revision deploy  --container-name $YC_SERVERLESS_CONTAINER_NAME --image $YC_DOCKER_REGISTRY_URI/$IMAGE_NAME:latest --service-account-id $YC_SERVICE_ACCOUNT_ID

To learn more, see this SourceCraft repository: yc-ci-cd-serverless.

Viewing a secret in the SourceCraft interface

  1. Open the SourceCraft home page.
  2. On the Home tab, navigate to Repositories.
  3. Select a repository where you want to view a secret.
  4. Under Repository settings on the repository page, go to Secrets.
  5. Click next to the secret whose value you want to view and select Edit.
  6. Copy the value of the secret.

Updating a secret

  1. Open the SourceCraft home page.
  2. On the Home tab, navigate to Repositories.
  3. Select a repository where you want to change a secret.
  4. Under Repository settings on the repository page, go to Secrets.
  5. Click next to the secret whose value you want to change and select Edit.
  6. In the Secret field, enter a new value for the secret.
  7. Click Save.

Deleting a secret

  1. Open the SourceCraft home page.
  2. On the Home tab, navigate to Repositories.
  3. Select a repository you want to delete a secret from.
  4. Under Repository settings on the repository page, go to Secrets.
  5. Click next to the secret you want to delete and select Delete secret.
  6. In the window that opens, click I understand, delete secret.

See also

Previous
Setting up branch policies
Next
Processing environment variables