[SOLVED] Unable to pass SSH key as a secret

Hello, I just recently installed Drone on my private server.


Create a CI pipeline that will:

  1. Clone a Git repository using SSH keys
  2. Modify a text file in it
  3. Push the Git repository to its origin.


samaya, Is the repository for which I want to use the CI pipeline.
ssh://aur@aur.archlinux.org/samaya-git.git is the SSH repository to which I would like to push a change after every commit.

Here is the .drone.yml file I wrote

kind: pipeline
type: docker
name: samaya

  - name: default
    image: archlinux/base:latest
    secrets: [ sshkey ]
      - echo "$${sshkey}"
      - env

kind: secret
name: sshkey
data: iI13N4RUa5/kH8RRvOY659l9OgAKGMsCOCxHe3jAwgSN/zy2kYU=

And, here is the output when running the command: drone exec:

I have tested running the build on my private server, but there too the secret variable doesn’t seem to be passed. Please guide me on: on how to clone a git repository using SSH and push it back securely.

Note: This is my first time self-hosting a CI/CD service and my third time ever using a CI/CD software. Please kindly correct me if I am doing a silly mistake :slight_smile:

Hi there, the syntax you are using to inject your secrets is incorrect. See https://docs.drone.io/configure/secrets/repository/

Also note that drone exec does not communicate with the Drone server and therefore does not have any access to a secret that you store in the Drone server.

Thank you so much for replying quickly :slight_smile:. I have previously followed the documentation that you have just provided me, but that too seems to not work for me. I would prefer to store my secrets inside the .drone.yml file itself, as I have read in the documentation that it is possible.

My problem is that before I can get a working .drone.yml file, I would have already pushed a non-working .drone.yml file 50 times to my repository which becomes a mess. How can I test my .drone.yml file by running the pipeline locally before I push the .drone.yml file to my repository?

Thank You :slight_smile:

my previous comments still hold true.

The only way to inject a secret as an environment variable is to use the from_secret syntax, as documented at https://docs.drone.io/configure/secrets/encrypted/

The drone exec command is offline and does not have any communication with the drone server. The decryption key is stored on the Drone server. Therefore, the exec command cannot decrypt secrets.

How can I test my .drone.yml file by running the pipeline locally before I push the .drone.yml file to my repository?

There is a command line flag to pass plain-text secrets to the command line utility. See Secrets with drone exec.

Great, it worked this time. But I already did a few failed builds with wrong .drone.yml configuration. Is there any way, I can delete old builds on the server?