I have a question/concern regarding the use of SSH keys in BP. Here's the scenario:
Suppose that when a pipeline runs and all my tests within have passed, I like to tag the associated commit in Bitbucket. Naturally, this means my Docker container has to have a private key written to it, which is not a problem. I use the suggested technique of having an environment variable store the obfuscated key, then:
umask 077 - echo $MY_SSH_KEY | base64 --decode > ~/.ssh/id_rsa
So, no problem there. I now have the ability to push back to my repo. Great. But, here's the issue:
Now suppose I allow people to fork and make PRs. If I merge in an outside party's PR (after a review, obviously), I risk having malicious code in my repo. This code could, say, send all the environment variables in the Docker container within a unit test. So, some outside party could get my SSH key.
- is there a way to limit what environment variables make it to what BP steps
- if not, could this be an included feature...or...
- maybe I'm on the wrong track all together?
Actually, one thing I just realized I could do is:
- break the pipeline up into steps that have share a built artifact
- in the step that does the test and build, the first line would be to erase the environment variable
- the step that does the tagging would do the id_rsa write above (instead of erasing the environment variable)
Did I just solve my own problem?