Secrets can be stored managed in your repository settings screen, and stored in the Drone database. This can be convenient if your organization does not have central secret management (Vault, AWS Secret Manager, etc).
Repository secrets can be referenced in your Yaml configuration file:
kind: pipeline name: default steps: - name: build image: alpine environment: USERNAME: from_secret: username PASSWORD: from_secret: password
Secrets are not exposed to pull requests by default. This prevents a bad actor from sending a pull request and attempting to expose your secrets. You can override this default behavior, at your own risk, by checking “Allow Pull Requests” when you create your secret.