CircleCI 2.0 - Private Environment Keys for Public Repositories
I have a repo that is currently closed. My Firebase token is stored as Env Var in the CircleCI GUI. CircleCI 2.0 documentation clearly states
Don't add keys or secrets to the public CircleCI project
Also, from what I can find in the FAQ, the CircleCI project becomes public if the linked GitHub repo becomes public.
Now I intend to open the original project on GitHub, will it make the Env Var in CircleCI visible to everyone, since the CircleCI project will become public?
If the Env Var is public, then what's the Soviet way to keep my deployment token hidden from others? Should I resort to a solution like GCP KMS?
source to share
A CircleCI employee clarified this for me on their forums .
This warning is for config [.yml]. You can safely use UI-based CircleCI environment variables.
If the repo / project is public, you just want to make sure that:
- envars on forked lines are disabled in settings
- you don't echo / print these variables to create output at all, as this might be visible to the public
Thus, there is the possibility of a public repo (and therefore a CircleCI public project) with secure settings for deployment keys in the CircleCI GUI.
source to share
It looks like you are using CircleCI for your repo, but the open source version of your project will not require deployment tools like Firebase. If that's right, then you should keep the Firebase deployment token wherever it's convenient and safe for you.
It also looks like you just keep the deployment token right in your repo right now, since it's private. If you only have a few secrets of your repo, something like git-crypt might suit your needs. Once you hit the big volume, you probably want something centralized, and Cloud KMS for encrypting secrets is one option .
source to share