Woodpecker CI secrets not passed to pipeline process #204

New issue

Closed

opened 2023-05-08 14:21:57 +00:00 by a · 0 comments

a commented

2023-05-08 14:21:57 +00:00

Owner

Quoting @0xmrtt from the Matrix chat:

I'm having an issue with the CI. i'm trying to push to the registry on forgejo at the end of the run. For that, i added a secret. But the CI fail because it seems that the token and env vars aren't passed to the CI. It seems that they are empty
https://git.exozy.me/0xmrtt/Bavarder/src/branch/main/.woodpecker.yml

I was also able to reproduce this bug: https://ci.exozy.me/a/Hello-world/pipeline/14/3

The reason this bug happens is because this line doesn't add the -E flag to command so the environment isn't passed to the process started by sudo. I don't remember if this is intentionally done for security reasons, but I'm pretty sure it's safe to add the -E flag here.

Quoting @0xmrtt from the Matrix chat: > I'm having an issue with the CI. i'm trying to push to the registry on forgejo at the end of the run. For that, i added a secret. But the CI fail because it seems that the token and env vars aren't passed to the CI. It seems that they are empty > https://git.exozy.me/0xmrtt/Bavarder/src/branch/main/.woodpecker.yml I was also able to reproduce this bug: https://ci.exozy.me/a/Hello-world/pipeline/14/3 The reason this bug happens is because [this line](https://git.exozy.me/exozyme/exozyme/src/commit/124126d2e87b3f6d57550b7b5fd427ed4583cc0a/src/woodpecker.patch#L56) doesn't add the `-E` flag to `command` so the environment isn't passed to the process started by `sudo`. I don't remember if this is intentionally done for security reasons, but I'm pretty sure it's safe to add the `-E` flag here.

👍 2 👀 1