Split secrets to variables and secrets

tnevrlka · tnevrlka · commit 92b3d9bda8ee · 2025-03-27T16:07:48.000+01:00
All environment variables used for builds are currently stored under
the key 'build-secrets'
Some of the environment variables are not actually secret and should be
visible.

Differentiate the environment variables that are not secret by adding
them under a new key 'build_variables'

Do the same with 'gitops_secrets' and 'gitops_variables'

Signed-off-by: Tomáš Nevrlka &lt;tnevrlka@redhat.com&gt;
diff --git a/templates/data.yaml b/templates/data.yaml
@@ -13,33 +13,62 @@ build_steps:
     substeps: [show-sbom-rhdh, summary]
     concurrent: true
 
-build_secrets:
-  - name: ROX_API_TOKEN
+build_variables:
   - name: ROX_CENTRAL_ENDPOINT
-  - name: GITOPS_AUTH_PASSWORD
+
   - name: GITOPS_AUTH_USERNAME
+    if: '!isGitLab'
     commented_out: true
-    comment: Uncomment this when using Gitlab
+  - name: GITOPS_AUTH_USERNAME
+    if: 'isGitLab'
 
-  - name: IMAGE_REGISTRY_USER 
+  - name: IMAGE_REGISTRY_USER
     if: 'isGitHub'
     comment: "Set this to the user for your specific registry"
-  - name: IMAGE_REGISTRY_PASSWORD 
-    if: 'isGitHub'
-    comment: "Set this password for your specific registry" 
+  - name: IMAGE_REGISTRY_USER
+    if: '!isGitHub'
+    commented_out: true
+    comment: "Set this to the user for your specific registry"
+
   # Expose Rekor and TUF in GitHub Actions so they can be set by user in secrets
   - name: REKOR_HOST
     if: 'isGitHub'
     comment: "Set this only when using an external Rekor instance"
-    commented_out: true
   - name: TUF_MIRROR
     if: 'isGitHub'
     comment: "Set this only when using an external TUF instance"
+  # Rekor and TUF again, but there is a difference between GH Actions and Jenkins
+  - name: REKOR_HOST
+    if: 'isJenkins'
+    comment: "Set when using Jenkins on non-local cluster and using an external Rekor instance"
     commented_out: true
-  - name: IMAGE_REGISTRY_USER
-    if: '!isGitHub'
+  - name: TUF_MIRROR
+    if: 'isJenkins'
+    comment: "Set when using Jenkins on non-local cluster and using an external TUF instance"
     commented_out: true
-    comment: "Set this to the user for your specific registry"
+
+  - name: QUAY_IO_CREDS_USR
+    if: '!isJenkins'
+    commented_out: true
+
+  - name: ARTIFACTORY_IO_CREDS_USR
+    if: '!isJenkins'
+    commented_out: true
+
+  - name: NEXUS_IO_CREDS_USR
+    if: '!isJenkins'
+    commented_out: true
+
+  - name: COSIGN_PUBLIC_KEY
+
+build_secrets:
+  - name: ROX_API_TOKEN
+
+  - name: GITOPS_AUTH_PASSWORD
+
+  - name: IMAGE_REGISTRY_PASSWORD
+    if: 'isGitHub'
+    comment: "Set this password for your specific registry" 
   - name: IMAGE_REGISTRY_PASSWORD
     if: '!isGitHub'
     commented_out: true
@@ -48,82 +77,91 @@ build_secrets:
   - name: QUAY_IO_CREDS
     if: isJenkins
     comment: "Default registry is set to quay.io" 
-  - name: QUAY_IO_CREDS_USR
-    if: '!isJenkins'
-    commented_out: true 
   - name: QUAY_IO_CREDS_PSW
     if: '!isJenkins' 
-    commented_out: true 
+    commented_out: true
+
   - name: ARTIFACTORY_IO_CREDS
     if: isJenkins
     commented_out: true 
-  - name: ARTIFACTORY_IO_CREDS_USR
-    if: '!isJenkins'
-    commented_out: true 
   - name: ARTIFACTORY_IO_CREDS_PSW
     if: '!isJenkins'  
-    commented_out: true 
+    commented_out: true
+
   - name: NEXUS_IO_CREDS
     if: isJenkins
     commented_out: true 
-  - name: NEXUS_IO_CREDS_USR
-    if: '!isJenkins'
-    commented_out: true 
   - name: NEXUS_IO_CREDS_PSW
     if: '!isJenkins'  
-    commented_out: true 
+    commented_out: true
+
   - name: COSIGN_SECRET_PASSWORD
   - name: COSIGN_SECRET_KEY
-  - name: COSIGN_PUBLIC_KEY
-  # Rekor and TUF again, but there is a difference between GH Actions and Jenkins
-  - name: REKOR_HOST
-    if: 'isJenkins'
-    comment: "Set when using Jenkins on non-local cluster and using an external Rekor instance"
-    commented_out: true
-  - name: TUF_MIRROR
-    if: 'isJenkins'
-    comment: "Set when using Jenkins on non-local cluster and using an external TUF instance"
-    commented_out: true
 
 gitops_steps:
   - name: Verify EC
     substeps: [gather-deploy-images, verify-enterprise-contract]
   - name: Upload SBOM
     substeps: [gather-images-to-upload-sbom, download-sbom-from-url-in-attestation, upload-sbom-to-trustification]
 
-gitops_secrets:
+gitops_variables:
   - name: COSIGN_PUBLIC_KEY
     comment: Used to verify the image signature and attestation
+
   - name: TRUSTIFICATION_BOMBASTIC_API_URL
     comment: URL of the BOMbastic api host (e.g. https://sbom.trustification.dev)
   - name: TRUSTIFICATION_OIDC_ISSUER_URL
     comment: URL of the OIDC token issuer (e.g. https://sso.trustification.dev/realms/chicken)
   - name: TRUSTIFICATION_OIDC_CLIENT_ID
-  - name: TRUSTIFICATION_OIDC_CLIENT_SECRET
   - name: TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION
+
   # If the OCI registry is not public then ec needs some credentials so it can see the attestations.
   # Todo: Use different credentials here so we provide read access only instead of read/write access.
-  # github always uses these 
-  - name: IMAGE_REGISTRY_USER 
+  # github always uses these
+  - name: IMAGE_REGISTRY_USER
     if: 'isGitHub'
     comment: "Set this to the user for your specific registry"
-  - name: IMAGE_REGISTRY_PASSWORD 
-    if: 'isGitHub'
-    comment: "Set this password for your specific registry"
+
   # Expose Rekor and TUF in GitHub Actions so they can be set by user in secrets
   - name: REKOR_HOST
     if: 'isGitHub'
     comment: "Set this only when using an external Rekor instance"
-    commented_out: true
   - name: TUF_MIRROR
     if: 'isGitHub'
     comment: "Set this only when using an external TUF instance"
+  # Rekor and TUF again, but there is a difference between GH Actions and Jenkins
+  - name: REKOR_HOST
+    if: 'isJenkins'
+    comment: "Set when using Jenkins on non-local cluster and using an external Rekor instance"
+    commented_out: true
+  - name: TUF_MIRROR
+    if: 'isJenkins'
+    comment: "Set when using Jenkins on non-local cluster and using an external TUF instance"
     commented_out: true
+
   # other CIs in transition so comment out and leave Quay.io
   - name: IMAGE_REGISTRY_USER
     if: '!isGitHub'
     commented_out: true
     comment: "Set this to the user for your specific registry"
+
+  - name: QUAY_IO_CREDS_USR
+    if: '!isJenkins'
+    commented_out: true
+
+  - name: ARTIFACTORY_IO_CREDS_USR
+    if: '!isJenkins'
+    commented_out: true
+
+  - name: NEXUS_IO_CREDS_USR
+    if: '!isJenkins'
+    commented_out: true
+
+gitops_secrets:
+  - name: TRUSTIFICATION_OIDC_CLIENT_SECRET
+  - name: IMAGE_REGISTRY_PASSWORD
+    if: 'isGitHub'
+    comment: "Set this password for your specific registry"
   - name: IMAGE_REGISTRY_PASSWORD
     if: '!isGitHub'
     commented_out: true
@@ -133,36 +171,18 @@ gitops_secrets:
   # to be documented 
   - name: QUAY_IO_CREDS
     if: isJenkins
-  - name: QUAY_IO_CREDS_USR
-    if: '!isJenkins'
-    commented_out: true 
   - name: QUAY_IO_CREDS_PSW
     if: '!isJenkins' 
     commented_out: true 
   - name: ARTIFACTORY_IO_CREDS
     if: isJenkins
     commented_out: true 
-  - name: ARTIFACTORY_IO_CREDS_USR
-    if: '!isJenkins'
-    commented_out: true 
   - name: ARTIFACTORY_IO_CREDS_PSW
     if: '!isJenkins'  
     commented_out: true 
   - name: NEXUS_IO_CREDS
     if: isJenkins
     commented_out: true 
-  - name: NEXUS_IO_CREDS_USR
-    if: '!isJenkins'
-    commented_out: true 
   - name: NEXUS_IO_CREDS_PSW
     if: '!isJenkins'  
     commented_out: true
-  # Rekor and TUF again, but there is a difference between GH Actions and Jenkins
-  - name: REKOR_HOST
-    if: 'isJenkins'
-    comment: "Set when using Jenkins on non-local cluster and using an external Rekor instance"
-    commented_out: true
-  - name: TUF_MIRROR
-    if: 'isJenkins'
-    comment: "Set when using Jenkins on non-local cluster and using an external TUF instance"
-    commented_out: true
