From 47a00051e6b455d4bb94ed31aa9a4f7d6a8791cd Mon Sep 17 00:00:00 2001
From: qwerty287 <80460567+qwerty287@users.noreply.github.com>
Date: Sun, 14 Sep 2025 12:26:56 +0200
Subject: [PATCH] Allow to get secrets from file (#5509)

---
 cli/exec/exec.go  | 20 ++++++++++++++++++++
 cli/exec/flags.go |  5 +++++
 2 files changed, 25 insertions(+)

diff --git a/cli/exec/exec.go b/cli/exec/exec.go
index c5be7ec1f..cfe8f7ff0 100644
--- a/cli/exec/exec.go
+++ b/cli/exec/exec.go
@@ -25,6 +25,7 @@ import (
 	"runtime"
 	"strings"
 
+	"codeberg.org/6543/xyaml"
 	"github.com/drone/envsubst"
 	"github.com/oklog/ulid/v2"
 	"github.com/rs/zerolog/log"
@@ -169,6 +170,25 @@ func execWithAxis(ctx context.Context, c *cli.Command, file, repoPath string, ax
 			Value: val,
 		})
 	}
+	if secretsFile := c.String("secrets-file"); secretsFile != "" {
+		fileContent, err := os.ReadFile(secretsFile)
+		if err != nil {
+			return err
+		}
+
+		var m map[string]string
+		err = xyaml.Unmarshal(fileContent, &m)
+		if err != nil {
+			return err
+		}
+
+		for key, val := range m {
+			secrets = append(secrets, compiler.Secret{
+				Name:  key,
+				Value: val,
+			})
+		}
+	}
 
 	pipelineEnv := make(map[string]string)
 	for _, env := range c.StringSlice("env") {
diff --git a/cli/exec/flags.go b/cli/exec/flags.go
index 31ab7778e..27aa3fb1f 100644
--- a/cli/exec/flags.go
+++ b/cli/exec/flags.go
@@ -78,6 +78,11 @@ var flags = []cli.Flag{
 		Name:    "secrets",
 		Usage:   "map of secrets, ex. 'secret=\"val\",secret2=\"value2\"'",
 	},
+	&cli.StringFlag{
+		Sources: cli.EnvVars("WOODPECKER_SECRETS_FILE"),
+		Name:    "secrets",
+		Usage:   "path to yaml file with secrets map",
+	},
 
 	//
 	// backend options for pipeline compiler