We currently have an issue where within our private GitLab repo in which we are passing in AWS secrets using Drone v1. An issue has been raised that in the future anyone with malicious intent and access to the repo could create and push to an unprotected branch with something like an echo env command to export any of the secrets being passed into the build in the .drone.yml file.
Do you know if there is any solution to an issue like this? Is it possible to pull a drone file from an upstream repo or a way to still protect the drone file in a private setting?
Any advice anyone can offer would be greatly appreciated.