Executor secrets

Executor secrets can be used to define additional values to be used in Sourcegraph executors.

Secret values are currently only available in server-side batch changes. Use step.env to reference configured secrets in executions.

How secrets work

Executor secrets are defined per-feature. If you want to define a secret for server-side batch changes, create a secret for that namespace. Batch Changes is currently the only namespace. Secrets are encrypted if encryption is on, and always redacted in log outputs.

There are two types of secrets:

  • Global secrets: These secrets are defined by an admin in the site-admin interface and will be usable by every user on the Sourcegraph instance.
  • Namespaced secrets: These secrets are set either in org or user settings and are only usable by the user or org members in their respective namespaces. If a namespaced secret has the same name as a global secret, the namespaced secret is preferred.

Examples:

Global secret GITHUB_TOKEN: Can be used by every server-side batch change

User 1 secret GITHUB_TOKEN: Can be used by batch changes created by user 1 in their own namespace, overwrites the global secret

Org 1 secret GITHUB_TOKEN: Can be used by batch changes created by any org member of org 1 in the org namespace, overwrites the global secret

Creating a new secret

To create a global secret, go to Site-admin > Executors/Secrets and click Add secret. To create a user secret, go to your user profile from the navbar > Settings > Executor secrets and click Add secret. To create an org secret, go to the org profile from the navbar > Executor secrets and click Add secret.

Then, fill in a name for the secret. This will be the name of the environment variable it will be accessible as. Next, fill in the secret value and hit Add secret.

Rotating a secret

To rotate a secret or to update the secret value, go to Executor secrets (see Creating a new secret). Next to the secret you want to update or rotate click on Update. Fill in the new value and hit Update secret.

Note: When updating secrets server-side batch changes execution caches that reference the secret will be invalidated.

Removing a secret

To remove a secret, go to Executor secrets (see Creating a new secret). Next to the secret you want to delete click on Remove.

Note: When removing secrets server-side batch changes execution caches that reference the secret will be invalidated.