Executor secrets
Executor secrets can be used to define additional values to be used in Sourcegraph executors.
Secret values are currently only available in server-side batch changes. Use step.env
to reference configured secrets in executions.
How secrets work
Executor secrets are defined per-feature. If you want to define a secret for server-side batch changes, create a secret for that namespace. Batch Changes is currently the only namespace. Secrets are encrypted if encryption is on, and always redacted in log outputs.
There are two types of secrets:
- Global secrets: These secrets are defined by an admin in the site-admin interface and will be usable by every user on the Sourcegraph instance.
- Namespaced secrets: These secrets are set either in org or user settings and are only usable by the user or org members in their respective namespaces. If a namespaced secret has the same name as a global secret, the namespaced secret is preferred.
Examples:
Global secret GITHUB_TOKEN
: Can be used by every server-side batch change
User 1 secret GITHUB_TOKEN
: Can be used by batch changes created by user 1 in their own namespace, overwrites the global secret
Org 1 secret GITHUB_TOKEN
: Can be used by batch changes created by any org member of org 1 in the org namespace, overwrites the global secret
Creating a new secret
To create a global secret, go to Site-admin > Executors/Secrets and click Add secret. To create a user secret, go to your user profile from the navbar > Settings > Executor secrets and click Add secret. To create an org secret, go to the org profile from the navbar > Executor secrets and click Add secret.
Then, fill in a name for the secret. This will be the name of the environment variable it will be accessible as. Next, fill in the secret value and hit Add secret.
Rotating a secret
To rotate a secret or to update the secret value, go to Executor secrets (see Creating a new secret). Next to the secret you want to update or rotate click on Update. Fill in the new value and hit Update secret.
Note: When updating secrets server-side batch changes execution caches that reference the secret will be invalidated.
Removing a secret
To remove a secret, go to Executor secrets (see Creating a new secret). Next to the secret you want to delete click on Remove.
Note: When removing secrets server-side batch changes execution caches that reference the secret will be invalidated.