NixCI can provide secrets to your impure tests and deployments as environment variables.
NixCI can provide secrets to your impure tests and deployments as environment variables.
Secrets are declared in your
NixCI configuration
using the
secrets
list in a test or deploy section.
Once a secret is declared, it is required for that job. You can set a secret's value in the Secrets overview of your repository.
For example, this test is declared to require the
FORGE_ACCESS_TOKEN
secret:
{
test = {
example = {
branches = "default";
package = "packages.x86_64-linux.impure-test";
secrets = ["FORGE_ACCESS_TOKEN"];
};
};
}
And this deployment requires the same secret:
{
deploy = {
example = {
package = "packages.x86_64-linux.deploy-to-prod";
secrets = ["FORGE_ACCESS_TOKEN"];
};
};
}
During the job, the
FORGE_ACCESS_TOKEN
environment variable will be set to the secret value.
NixCI has special support for SSH keys.
You could provide SSH keys as regular secrets, but it can be difficult to get
libcrypto
to load an SSH key from an environment variable.
NixCI can take care of this for you.
When you declare a secret as an SSH key, NixCI will:
In this example
impure test,
the
CI_SSH_KEY
secret is declared as an SSH key with the given public key:
{
test = {
example = {
branches = "default";
package = "packages.x86_64-linux.impure-test";
ssh-keys = [{
public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOJSjGhDsCpOGTldxNvLP3NCM1eLMNxjHKKg4y2my1PS";
secret = "CI_SSH_KEY";
}];
};
};
}
For a deployment:
{
deploy = {
example = {
package = "packages.x86_64-linux.deploy-to-prod";
ssh-keys = [{
public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOJSjGhDsCpOGTldxNvLP3NCM1eLMNxjHKKg4y2my1PS";
secret = "CI_SSH_KEY";
}];
};
};
}
During the job, the
CI_SSH_KEY
environment variable will be set to the file path of the SSH key.
You can then use the
-i
option to use it:
ssh -i "$CI_SSH_KEY" user@server