Managing Secrets locally

When you run a build locally, with the Bitrise CLI, the Secrets are read from a .bitrise.secrets.yml file, which is expected to be in the same directory where the bitrise.yml is, and where you run the bitrise run command.

If you want to store your Secrets somewhere else, you can specify the location of the Secrets file with the --inventory flag of the bitrise run command. For example: .

bitrise run my-workflow --inventory /path/to/secrets.yml

Make sure to gitignore your Secrets file

As a best practice, you should always make sure that the .bitrise.secrets.yml is added to your .gitignore, so that it will never be committed into your repository! The best is if you gitignore everything that starts with .bitrise, which can be done by adding the line: .bitrise* to your .gitignore file.

The Secrets YAML file has to include a root envs: item and then the list of Secret Environment Variables.

envs:
- SECRET_ENV_ONE: first Secret value
- SECRET_ENV_TWO: second Secret value

The Secrets defined in the bitrise.secrets.yml file can be used just like any other Environment Variable.

format_version: 11
default_step_lib_source: https://github.com/bitrise-io/bitrise-steplib.git

workflows:
  test:
    steps:
    - script@1.1.3:
        inputs:
        - content: |
            #!/bin/bash
            echo "SECRET_ENV_ONE: ${SECRET_ENV_ONE}"
            echo "SECRET_ENV_TWO: ${SECRET_ENV_TWO}"

You can just bitrise run test in the directory, and the Script step will print the values specified in the secrets file:

SECRET_ENV_ONE: first secret value
SECRET_ENV_TWO: second secret value

As Secrets are the first Environment Variables processed when you execute a bitrise run command, you can use the Secrets everywhere in your bitrise.yml.