CircleCI 2.0 private environment keys for public repos

Question

I have a repo that is currently private. My Firebase deployment token is stored as an Env Var in the CircleCI GUI. The CircleCI 2.0 documentation clearly states

Do not add keys or secrets to a public CircleCI project

Also, from what I can find in the FAQ, a CircleCI project is made public if the associated GitHub repo is made public.

Now, I intend to open source the project on GitHub, will it make the Env Var in CircleCI visible to anyone since the CircleCI project will become public?

If the Env Var is publicly visible, what is an advised way to keep my deployment token hidden from others? Do I have to resort to a solution like GCP KMS?

Answer 1

A CircleCI Employee clarified this for me on their forums.

That warning is meant for the config[.yml]. You can use UI-based CircleCI environment variables safely.

If the repo/project is public, you'll just want to make sure that:

• envars in forked builds are turned off in settings
• you don't echo/print those variables to build output at all since that might be visible to the public

So it is possible to have a public repo (and thus public CircleCI project) with deployment keys safely configured in the CircleCI GUI.

Answer 2

It sounds like you're using CircleCI for your repo, but the open-source version of your project won't require deployment tools like Firebase. If that's right, then you should keep the Firebase deployment token wherever it's convenient and secure for you.

It also sounds like maybe you're just keeping the deployment token directly in your repo right now, since that's private. If you only have a handful of secrets in your repo, something like git-crypt might meet your needs. Once you hit a larger volume, you're probably going to want something centralized, and using Cloud KMS to encrypt secrets is one option.