[SOLVED] Drone 1.0.0-rc.1 secret doesn't work


#1
- name: alpine
  image: alpine
  environment:
    USERNAME:
      from_secret: MAC_USER
  commands:
  - echo ${MAC_USER}/${USERNAME}
  - echo ${DRONE_TAG}/${DRONE_BRANCH}/${DRONE_COMMIT}

- name: ssh-docker-host
  image: appleboy/drone-ssh
  settings:
    host: host.docker.internal
    port: 22
    username:
      from_secret: MAC_USER
    password:
      from_secret: MAC_PASSWORD
    script:
    - date -R
    - system_profiler SPSoftwareDataType
    - bash -lc 'flutter --version'
    - date -R
+ echo /
/
+ echo /master/706345abefd33d3d80409a45e39d71b016e8a0aa
/master/706345abefd33d3d80409a45e39d71b016e8a0aa

it doesn’t print MAC_USER or USERNAME

======CMD======
date -R
system_profiler SPSoftwareDataType
bash -lc 'flutter --version'
date -R
======END======
out: Mon, 03 Dec 2018 01:01:00 +0800
out: Software:
out: 
out:     System Software Overview:
out: 
out:       System Version: macOS 10.14.1 (18B75)
out:       Kernel Version: Darwin 18.2.0
out:       Boot Volume: Macintosh HD
out:       Boot Mode: Normal
out:       Computer Name: ********-mbp
out:       User Name: 林恒龙 (********)
out:       Secure Virtual Memory: Enabled
out:       System Integrity Protection: Enabled
out:       Time since boot: 3:58
out: 
out: Flutter 0.11.13 • channel beta • https://github.com/flutter/flutter.git
out: Framework • revision 58c8489fcd (3 days ago) • 2018-11-29 19:20:18 -0500
out: Engine • revision 7375a0f414
out: Tools • Dart 2.1.0 (build 2.1.0-dev.9.4 f9ebf21297)
out: Mon, 03 Dec 2018 01:01:01 +0800
==========================================
Successfully executed commands to all host.
==========================================

#2

you need to do this:

  - name: alpine
    image: alpine
    environment:
      USERNAME:
        from_secret: MAC_USER
    commands:
-   - echo ${USERNAME}
+   - echo $USERNAME

or this:

  - name: alpine
    image: alpine
    environment:
      USERNAME:
        from_secret: MAC_USER
    commands:
-   - echo ${USERNAME}
+   - echo $${USERNAME}

This is because when you include a $ in your yaml it needs to be escaped:

You can use a $$ (double-dollar sign) when your configuration needs a literal dollar sign. This prevents Drone from interpolating a value, so a $$ allows you to refer to environment variables that you don’t want processed by Drone.


#3

:slight_smile: … thanks a lot …


#4
- name: build-ios
  image: appleboy/drone-ssh
  environment:
    MAC_USER:
      from_secret: MAC_USER
    MAC_PASSWORD:
      from_secret: MAC_PASSWORD
  settings:
    host: host.docker.internal
    port: 22
    username:
      from_secret: MAC_USER
    password:
      from_secret: MAC_PASSWORD
    command_timeout: 600
    envs: [ MAC_USER,MAC_PASSWORD ]
    script:
    - date -R
    - echo $${MAC_USER}/$${MAC_PASSWORD}
    - bash -lc 'security unlock-keychain -p 123456 login.keychain'
    - bash -lc 'security unlock-keychain -p $${MAC_PASSWORD} login.keychain'
    - date -R
======CMD======
date -R
echo ${MAC_USER}/${MAC_PASSWORD}
bash -lc 'security unlock-keychain -p ******** login.keychain'
bash -lc 'security unlock-keychain -p ${MAC_PASSWORD} login.keychain'
date -R
======END======
out: Mon, 03 Dec 2018 09:49:29 +0800
out: ********/********
out: Mon, 03 Dec 2018 09:49:29 +0800
err: security: SecKeychainUnlock <NULL>: The user name or passphrase you entered is not correct.
==========================================
Successfully executed commands to all host.
==========================================

secret doesn’t work in command line

- bash -lc 'security unlock-keychain -p $${MAC_PASSWORD} login.keychain'
err: security: SecKeychainUnlock <NULL>: The user name or passphrase you entered is not correct.

#5

This is a problem with your bash scripting. You are using single-quotes in your script. When you use single quotes, it is a string literal, and your environment variables will not be expanded.

see this stackoverflow: https://stackoverflow.com/questions/13799789/expansion-of-variable-inside-single-quotes-in-a-command-in-bash


#6

Also, if I understand your post correctly, you are also trying to run this from command line with drone exec (if I misunderstood, you can ignore this). When you run your pipeline locally you need to pass your secrets to drone exec. The drone exec command does not have any access to secrets stored in the drone server.

$ cat <<EOF > secrets.txt
MAC_USER=xxxx
MAC_PASSWORD=yyyy
EOF
$ drone exec --secret-file=secrets.txt

#8

ssh should use

bash -lc 'xxx'

load environment


#9

:slight_smile: thanks a lot, I have solved it.

- name: ssh-docker-host
  image: appleboy/drone-ssh
  environment:
    MAC_USER:
      from_secret: MAC_USER
    MAC_PASSWORD:
      from_secret: MAC_PASSWORD
  settings:
    host: host.docker.internal
    port: 22
    username:
      from_secret: MAC_USER
    password:
      from_secret: MAC_PASSWORD
    envs: [ MAC_USER,MAC_PASSWORD ]
    script:
    - date -R
    - system_profiler SPSoftwareDataType
    - bash -lc 'flutter --version'
    - echo $MAC_USER/$MAC_PASSWORD
    - echo $${MAC_USER}/$${MAC_PASSWORD}
    - bash -lc 'security unlock-keychain -p '$${MAC_PASSWORD}' login.keychain'
    - date -R