Committing secrets in parameter.json

[IT-VBFK]

Hi

Just a quick question: is it possible to decrypt stored secrets from parameter.json?

Because I want to commit this parameters (in this case an access token) to a public repo and the CI/CD pipeline should use this secrets.

[Basyras]

Your pipeline does not need to use parameters.json at all. If all secrets are found as environment variables I believe nuke is not even trying to read if from parameters.json. If you use Github actions you can simply add your secret as standard pipeline secret and in your _build.csproj you can access secrets like this

//from https://nuke.build/docs/cicd/github-actions/#importing-secrets
[GitHubActions(
    // ...
    ImportSecrets = new[] { nameof(NuGetApiKey) })]
class Build : NukeBuild
{
    [Parameter] [Secret] readonly string NuGetApiKey;
}

of course this force you to have secrets in 2 places in parameters.json when running locally and in Github Actions secrets when running the pipeline. It depends what you want to achieve and how safe you want to make it.

I think there should be a way that the pipeline would use parameters.json but I am not sure how you give the pipeline a password to decrypt the secrets - I never tried it to be honest. I assume you can have environment variable in pipeline (secret) that would be used to as password when reading secrets from parameters.json

My humble investigation (I think there must be a easy way but i can't find anything in docs)
I found this code in Contants.cs

$"PARAMS_{profile.TrimStart(DefaultProfileName).ToUpperInvariant().Replace(".", "_")}_KEY".Replace("_", string.Empty);
where DefaultProfileName is the secret profile name

which then is tried to get like this:

So my assumption is if you have environment variable (Github actions secret) in build server like this:
PARAMS_$default_KEY with value <your profile password>
and you have ImportSecrets property set in attribute it would try read it and decrypt it from parameters.json

But give me a feedback how did you solve it since I am interested in this topic and I don't have much time to tinker with this at the moment.
I think it is worth to think about creating an issue because this should be covered in docs but it is not.

[IT-VBFK]

Yes I know that I can pass in github secrets as secrets..

My question was, how secure the secrets stored in the parameters.json really are. Because Github does not pass secrets to pipelines of PRs from a forked repo. So I searching for a (secure) way to avoid this limitation.

[matkoch]

By implication, this will never be possible.

https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

[IT-VBFK]

Ahh.. thanks for sharing this :)

[IT-VBFK]

How do you would handle workflow runs from PRs that needs secrets (e.g. tokens for coveralls or something)? Especially for coveralls.net the GITHUB_TOKEN is not enough..

[matkoch]

Below is an example of the intended usage in which the results of an unprivileged pull_request workflow are combined with a privileged workflow to leave a comment in response to a received PR: