Skip to content

Make pipeline secret redaction default behaviour#3897

Merged
DrJosh9000 merged 1 commit intov4from
enforce-pipeline-reaction-mk-ii
May 6, 2026
Merged

Make pipeline secret redaction default behaviour#3897
DrJosh9000 merged 1 commit intov4from
enforce-pipeline-reaction-mk-ii

Conversation

@DrJosh9000
Copy link
Copy Markdown
Contributor

@DrJosh9000 DrJosh9000 commented May 6, 2026

Description

It's like #1593, but for v4.

Further to #1589, pipeline secret redaction should become default in Agent v4.

This PR makes it so that default behaviour is to disallow pipeline uploads containing interpolations of potentially secret environment variables. We add flag to buildkite-agent pipeline upload to allow uploading pipelines with these secrets, but note in the CLI help and the log output that this behaviour is insecure.

We won't merge this until we release Agent v4

Context

Closes #1593

Testing

  • Tests have run locally (with go test ./...). Buildkite employees may check this if the pipeline has run automatically.
  • Code is formatted (with go tool gofumpt -extra -w .)

Disclosures / Credits

@moskyb

@DrJosh9000 DrJosh9000 requested review from a team as code owners May 6, 2026 03:29
@DrJosh9000 DrJosh9000 merged commit 01dfd17 into v4 May 6, 2026
3 checks passed
@DrJosh9000 DrJosh9000 deleted the enforce-pipeline-reaction-mk-ii branch May 6, 2026 03:43
@DrJosh9000 DrJosh9000 mentioned this pull request May 6, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DrJosh9000 @moskyb