Everyhting works but I had to include my credentials.zip (i.e., the credentials downloaded when I login to torizon clopud with my personal account) into the repository so that the CI/CD pipeline can push to Torizon Cloud.
Isn’t this a security leak?
As a matter of fact, the default tcp templates ignores credentials.zip
so that it’s not shared around developers.
But I need that it’s in the repo for the pipeline to run.
Am I missing something?
Usually most CI/CD systems have a method to inject preset secret files/variables during the pipeline execution. That way the secret is available during the pipeline, without having to include the secret itself in the public repository.
please do not include your credentials.zip into the repository, or to be more clear never push this file to a public repository. The .gitignore have it there to make sure that this will not be leaked.
Hi @matheus.tx
thanks a lot!
Taking inspiration from the Github and Gitlab way, I’ve been able to setup “the secure way” for Azure DevOps pipeline.
Basically, it uses secret variables and a script in the yaml
- script: |
echo $(PLATFORM_CREDENTIALS) | base64 -d > credentials.zip
displayName: 'Fill the secrets for the pipeline'
env:
PLATFORM_CREDENTIALS: $(PLATFORM_CREDENTIALS) # Pass the secret variable to the script
