I’m new to drone, sorry if I’m asking a silly question.
It seems to me that anyone can read the secrets that are passed as environment variables, given they manage to guess the variable names. I believe it can be very scary to store ssh keys in envvars if anyone with access to my webui can read them by triggering a build with a maliciously prepared .drone.yml file.
Am I missing something? Should I put my drone webui behind basicauth?