Do not alter secret key upper-/lowercase (#3375)

2025-10-30 23:27:39 +02:00 · 2024-02-20 14:20:25 +01:00
parent cee890d359
commit 0c9bbf91a3
5 changed files with 12 additions and 8 deletions
--- a/docs/docs/20-usage/40-secrets.md
+++ b/docs/docs/20-usage/40-secrets.md
@@ -21,11 +21,13 @@ once their usage is declared in the `secrets` section:
   - name: docker
     image: docker
     commands:
-+      - echo $DOCKER_USERNAME
+      - echo $docker_username
 +      - echo $DOCKER_PASSWORD
-+    secrets: [ docker_username, docker_password ]
+    secrets: [ docker_username, DOCKER_PASSWORD ]
 ```

+The case of the environment variables is not changed, but secret matching is done case-insensitively. In the example above, `DOCKER_PASSWORD` would also match if the secret is called `docker_password`.
+
 ### Use secrets in settings

 Alternatively, you can get a `setting` from secrets using the `from_secret` syntax.
@@ -53,11 +55,11 @@ Please note parameter expressions are subject to pre-processing. When using secr
   - name: docker
     image: docker
     commands:
-      - echo ${DOCKER_USERNAME}
+-      - echo ${docker_username}
 -      - echo ${DOCKER_PASSWORD}
-+      - echo $${DOCKER_USERNAME}
+      - echo $${docker_username}
 +      - echo $${DOCKER_PASSWORD}
-     secrets: [ docker_username, docker_password ]
+     secrets: [ docker_username, DOCKER_PASSWORD ]
 ```

 ### Alternate Names
--- a/docs/docs/91-migrations.md
+++ b/docs/docs/91-migrations.md
@@ -8,6 +8,7 @@ Some versions need some changes to the server configuration or the pipeline conf
 - Removed `WOODPECKER_ROOT_PATH` and `WOODPECKER_ROOT_URL` config variables. Use `WOODPECKER_HOST` with a path instead
 - Pipelines without a config file will now be skipped instead of failing
 - Deprecated `includes` and `excludes` support from **event** filter
+- Deprecated uppercasing all secret env vars, instead, the value of the `secrets` property is used. [Read more](./20-usage/40-secrets.md#use-secrets-in-commands)

 ## 2.0.0

--- a/pipeline/frontend/yaml/compiler/convert.go
+++ b/pipeline/frontend/yaml/compiler/convert.go
@@ -118,6 +118,8 @@ func (c *Compiler) createProcess(container *yaml_types.Container, stepType backe
 			return nil, err
 		}

+		environment[requested.Target] = secretValue
+		// TODO deprecated, remove in 3.x
 		environment[strings.ToUpper(requested.Target)] = secretValue
 	}

--- a/server/api/repo_secret.go
+++ b/server/api/repo_secret.go
@@ -16,7 +16,6 @@ package api

 import (
 	"net/http"
-	"strings"

 	"github.com/gin-gonic/gin"

@@ -68,7 +67,7 @@ func PostSecret(c *gin.Context) {
 	}
 	secret := &model.Secret{
 		RepoID: repo.ID,
-		Name:   strings.ToLower(in.Name),
+		Name:   in.Name,
 		Value:  in.Value,
 		Events: in.Events,
 		Images: in.Images,
--- a/server/pipeline/stepbuilder/stepBuilder.go
+++ b/server/pipeline/stepbuilder/stepBuilder.go
@@ -240,7 +240,7 @@ func (b *StepBuilder) environmentVariables(metadata metadata.Metadata, axis matr
 func (b *StepBuilder) toInternalRepresentation(parsed *yaml_types.Workflow, environ map[string]string, metadata metadata.Metadata, stepID int64) (*backend_types.Config, error) {
 	var secrets []compiler.Secret
 	for _, sec := range b.Secs {
-		events := []string{}
+		var events []string
 		for _, event := range sec.Events {
 			events = append(events, string(event))
 		}