Executor secrets can be used to define additional values to be used in Sourcegraph executors.
Secret values are currently only available in server-side batch changes. Use
step.env to reference configured secrets in executions.
How secrets work
Executor secrets are defined per-feature. If you want to define a secret for server-side batch changes, create a secret for that namespace (examples of namespaces are "Code Graph" and "Batch Changes"). Secrets are encrypted if encryption is on, and always redacted in log outputs.
There are two types of secrets:
These secrets are defined by an admin in the site-admin interface and will be usable by every user on the Sourcegraph instance.
These secrets are set either in org or user settings and are only usable by the user or org members in their respective namespaces. If a namespaced secret has the same name as a global secret, the namespaced secret is preferred.
Can be used by every server-side batch change
User 1 secret
Can be used by batch changes created by user 1 in their own namespace, overwrites the global secret
Org 1 secret
Can be used by batch changes created by any org member of org 1 in the org namespace, overwrites the global secret
Creating a new secret
To create a global secret, go to Site-admin > Executors/Secrets and click Add secret. To create a user secret, go to your user profile from the navbar > Settings > Executor secrets and click Add secret. To create an org secret, go to the org profile from the navbar > Executor secrets and click Add secret.
Then, fill in a name for the secret. This will be the name of the environment variable it will be accessible as. Next, fill in the secret value and hit Add secret.
Rotating a secret
To rotate a secret or to update the secret value, go to Executor secrets (see Creating a new secret). Next to the secret you want to update or rotate click on Update. Fill in the new value and hit Update secret.
Note: When updating secrets server-side batch changes execution caches that reference the secret will be invalidated.
Removing a secret
To remove a secret, go to Executor secrets (see Creating a new secret). Next to the secret you want to delete click on Remove.
Note: When removing secrets server-side batch changes execution caches that reference the secret will be invalidated.