CODEWITHSUNDEEP
azureazure-devopsazure-pipelines
patrick
patrick

Reputation: 21

Azure pipelines Secret Variables don't work on PR triggers

I have a an azure pipelines with a secret variable that triggers on Pull requests. When triggered the secret variable is not available to the pipeline.

Secret Variable works when triggered by commits to a branch.

pipeline

pr:
  branches:
    include:
    - '*'
trigger:
  branches:
    exclude:
    - '*'

jobs:
- job:
  pool:
    vmImage: 'ubuntu-latest'
  timeoutInMinutes: 360
  displayName: 'Running test'
  steps:
  - bash: |
      if [ -z "$(system.pullRequest.sourceRepositoryUri)" ]
      then
        python3 runTest.py \
          --config "blessedImageConfig-temp.json" \
          --code $(SecretCode)
      else
        python3 runTest.py \
          --config "blessedImageConfig-temp.json" \
          --pullRepo $(system.pullRequest.sourceRepositoryUri) \
          --pullId $(system.pullRequest.pullRequestNumber) \
          --code $(SecretCode)
      fi

Secret variable added via the webUI

output and error

Generating script.
========================== Starting Command Output ===========================
[command]/bin/bash --noprofile --norc /home/vsts/work/_temp/95f6ae7c-d2e1-4ebd-891c-2d998eb4b1d9.sh
/home/vsts/work/_temp/95f6ae7c-d2e1-4ebd-891c-2d998eb4b1d9.sh: line 7: SecretCode: command not found
usage: runTest.py [-h] [--config CONFIG] [--code CODE] [--pullId PULLID]
                  [--pullRepo PULLREPO]
runTest.py: error: argument --code: expected one argument
##[error]Bash exited with code '2'.

Upvotes: 1

Views: 448

Answers (1)

Mengdi Liang
Mengdi Liang

Reputation: 18958

SecretCode: command not found

This error caused by it's a secret variable, and it was passed in command line with the incorrect way.

You may feel confused about this. But, in fact, Microsoft ever warning about this with doc : Never pass secrets on the command line. That's by designed.

I ever meet this similar issue on my docker build. I solved it with mapping the secrets variable value into an environment variable, which also mentioned on the doc of Variable.

For your Bash task, there also has the solution about secret variable: Use the environment variables input to pass secret variables to this script' and set targetType == Inline is necessary.

So, you can add the script below into your Bash task script, to map the secret variable into the environment variable:

inputs:
    targetType: 'inline'
    - script: 
      echo $code 
      env: 
        code: $(SecretCode)

Upvotes: 1

Related Questions