Drone provides the ability to store sensitive information external to the Yaml configuration file, in a central secret store. Secrets are injected into the Yaml file at runtime bash string replacement syntax.

Example configuration using secrets:

pipeline:
  publish:
    image: plugins/docker
    username: octocat
-   password: correct-horse-battery-staple
+   password: ${DOCKER_PASSWORD}

Secrets are added to your repository using the command line utility. Example command:

drone secret add \
  octocat/hello-world DOCKER_PASSWORD correct-horse-battery-staple

Signature

Drone does not expose secrets to your build unless the Yaml file is signed and verified. You can sign the Yaml using the command line utility and committing the .drone.yml.sig file to your repository.

drone sign octocat/hello-world

Examples

Example command loads a secret from a file:

$ drone secrets add \
- octocat/hello-world SSH_KEY ${cat /path/to/.ssh/id_rsa}
+ octocat/hello-world SSH_KEY @/path/to/.ssh/id_rsa

Example command enables use of credentials for pull requests:

$ drone secrets add \
+ --event=pull_request \
  octocat/hello-world DOCKER_PASSWORD correct-horse-battery-staple

Expose secrets to pull requests with caution. Exposing secrets to public repository pull requests allows an attacker to access your secrets.

Example command to skip yaml signature verification:

$ drone secrets add \
+ --skip-verify=true \
  octocat/hello-world DOCKER_PASSWORD correct-horse-battery-staple

Disabling signature verification is not recommended in untrusted environments. Disabling verification could allow an attacker to expose your secrets.