CircleCI 2.0 private environment keys for public repos

envars

#1

I have a GitHub repo that is currently private. My Firebase deployment token is stored as an Env Var in the CircleCI GUI. The CircleCI 2.0 documentation clearly states

Do not add keys or secrets to a public CircleCI project

Also, from what I can find in the FAQ, a CircleCI project is made public if the associated GitHub repo is made public.

Now, I intend to open source the project on GitHub, will it make the Env Var in CircleCI visible to anyone since the CircleCI project will become public?

If the Env Var is publicly visible, what is an advised way to keep my deployment token hidden from others? Do I have to resort to a solution like git-crypt or a cloud based KMS?

Here’s a link to my StackOverflow question:
https://stackoverflow.com/questions/45542515/circleci-2-0-private-environment-keys-for-public-repos


#2

That warning is meant for the config. You can use UI-based CircleCI environment variables safely.

If the repo/project is public, you’ll just want to make sure that:

  • envars in forked builds are turned off in settings
  • you don’t echo/print those variables to build output at all since that might be visible to the public

#3

Thank you very much for the clarification!

Is it possible to have the docs updated to reflect these details? Googling didn’t give me a complete picture.


#4

Our docs are open-source. Can you point me to which doc you think that information might belong to and I can open a GitHub Issue on it?


#5

I didn’t know they were OS, that’s great!

The initial warning

Do not add keys or secrets to a public CircleCI project.

is actually under the heading for Adding Enviro[n - typo here]ment Variables in the App. Since this warning only relates to the config.yml it should probably be in the section about the config.yml.

Also, it would be nice to just have a section about public repo/projects clearly outlining best practices here. I wish to use CircleCI in place of TravisCI, but finding out how to keep deployment config private and what’s visible to non-contributors has been difficult.

Here is a list of things that I’ve not been able to find or wish to be more clear:

  • public repo = public project
  • env-vars are shared in forks unless turned off
  • Web GUI settings are accessible only by contributors? Therefore, env-vars set in the GUI are hidden from the public.
  • Build-logs are visible, so don’t print sensitive information in them.

Thanks again for the help with this. In future, if I find any errors in the docs I will create a PR on GitHub.

To further clarify, general questions should come here and not to the GitHub issues?


#6

Thanks for that.

I’ve opened two Issues on our Docs repo as a response to your post:

Correct. CircleCI Discuss is for questions, discussion, sharing, etc. The Issues queue for CircleCI Docs on GitHub should be for missing docs, reporting incorrect docs, docs request, spelling fixes, etc.


#7

This topic was automatically closed 41 days after the last reply. New replies are no longer allowed.