Secrets and Env Vars
GitHub

Secrets and Env Vars

Every secret environment variable (secret env var) is an env var but not every environment variable (env var) is a secret env var!

About Env Vars

In your Workflow Editor, you can set an env var with a key and a value in the Env Vars tab which is a collection of all the env vars registered for your app. Env vars can be referenced as many times as you wish in any of your workflow steps, unless you set them for a specific workflow.

Check out our short youtube tutorial on how to insert variables in step inputs!

If you click the insert variable button next to any step input field in your workflow, you can select the suitable env var from the Insert variable pop-up window. This interactive list displays all the available env vars you have set in the Env Vars tab and those that have been already generated by previous steps in the workflow. As an example, if you click into an input of the third step of your workflow, the Insert variable list will include all the env vars (outputs) generated by the first and second steps, and the ones you have registered in Env Vars. The list will not show those which will be generated by the fourth, fifth, sixth steps.

You can also replace the variable for a new one in Env Vars. Delete the old value and set the new one. If you toggle the Replace variables in inputs to the right, the new value will be used everywhere in your workflow.

Protect your secrets

Contrary to secret env vars, env vars are fully exposed in builds triggered by pull requests so you should not add any sensitive information to Env Vars.

Setting an env var in every/in a specific workflow

Under App Environmental Variables, you can set all the env vars you wish to use later on in all your workflows.

Screenshot

You can set env vars for any of your workflows separately as well. If you wish to set an env var with a variable which will be only used in a particular workflow, then select the respective workflow from the list and add the env var there. The list is comprised of the workflows you named for your app. (In this example below, the app has a deploy, primary and dummy workflow.)

Screenshot

Check out our list of Available Environment Variables exposed by Bitrise CLI and bitrise.io.

About Secrets

Secret env vars are special type of env vars as they hide information in an encrypted format so that your private input is not exposed in the build logs/bitrise.yml. Secret env vars can be set by adding the env var key and the variable in the Secrets tab of the Workflow Editor.

Adding a secret env var

You can add a secret env var to your workflow using our Secrets tab.

  1. Click Add new on the Secrets tab.
  2. Set the key and value fields.

You can also add a secret env var directly in a step’s SENSITIVE input.

Editing a secret env var

Once you’ve added a new secret env var in the Secrets tab, you come back to it any time, modify its content or make it protected from curious eyes!

  1. Click Edit next to the value of your secret env var.
  2. Modify its content if needed.
  3. If you want to hide the value, click Make it protected. A lock is shown.
  4. Delete the secret env var if you do not need it any more. Please note if you hit this button, the whole row will get deleted.

Life after Make it protected

Please note if you clicked this button, neither you nor anybody with the access to the app can unlock or check the value again.

Since this change is irreversible, a confirmation pop-up window will be displayed prior to saving your changes.

You can show and hide the value of an env var with the eye icon. This feature is useful if you have a long list of secret env vars in Secrets and you wish to check the value of only one secret env var while leaving the other values hidden. If a value is hidden, it’s represented with the crossed out eye icon.

If you toggle the Replace variables in inputs to the right, the new value will be used everywhere in your workflow.

The Expose for Pull Request toggle can be enabled if you want your secrets to be exposed in your build logs in PRs.

About SENSITIVE label

In the case of public apps, step input fields containing sensitive information are marked with a SENSITIVE label and only secret env vars can be used there! The Expose for Pull Request toggle is by default disabled and cannot be enabled since your secrets must be kept hidden in publicly accessible build logs!

Head over to Secrets for more information on secret filtering.