secrets-buildkite-plugin/plugin.yml at main · buildkite-plugins/secrets-buildkite-plugin · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
---
name: Secrets
description: "A Buildkite plugin to fetch secrets from multiple providers"
author: "@buildkite-plugins"
requirements:
  - bash
  - buildkite-agent
configuration:
  properties:
    provider:
      type: string
      enum: ["buildkite", "gcp", "azure"]
      default: "buildkite"
      description: "The secrets provider to use."
    azure-vault-name:
      type: string
      description: "The Azure Key Vault name (required when provider is azure)."
    azure-secret-version:
      type: string
      description: "The Azure Key Vault secret version (optional, defaults to latest)."
    env:
      type: string
      description: "Secret key name for batch secrets (base64-encoded KEY=value format)"
    variables:
      type: object
      description: "Map of ENV_VAR_NAME: secret-path for individual secrets"
    skip-redaction:
      type: boolean
      default: false
      description: "If true, secrets will not be redacted in Buildkite logs."
    retry-max-attempts:
      type: number
      default: 5
      description: "Maximum retry attempts for transient failures"
    retry-base-delay:
      type: number
      default: 2
      description: "Base delay in seconds for exponential backoff"
    # GCP Secret Manager options
    gcp-project:
      type: string
      description: "GCP project ID (optional - falls back to CLOUDSDK_CORE_PROJECT or gcloud config)"
    gcp-secret-version:
      type: string
      default: "latest"
      description: "Secret version to fetch (default: latest)"
  additionalProperties: false