Is your feature request related to a problem? Please describe.
buildkite-agent 3.34.0 introduced new behavior, rejecting pipeline uploads that contain redacted variables. As of now, it's impossible to continue to redact variables and allow a pipeline with secrets to be uploaded. To me, these are two distinct features that should be controlled separately.
I realize that having a secret in a pipeline in plain text is clearly not a best practice, but sometimes it is difficult to track down, especially if you're working with dynamic pipelines.
Describe the solution you'd like
A new configuration flag like reject_pipelines_with_secrets = false that will allow pipelines to be uploaded even if they contain secrets. It would probably make sense for some strong warnings still. Maybe even say that "uploading pipelines with redacted vars is deprecated and won't be supported in the next major version" kind of thing. Something that gives a transition period to identify the issues and remediate before rejecting them outright.
Describe alternatives you've considered
If there are many pipelines that happen to upload with redacted vars, we need to update every single one ASAP (may not be possible to do in a timely manner)j, rollback the buildkite-agent version, or disable redacting vars, which still has a lot of value in hiding values in logs.
Additional context
I opened a ticket with support@buildkite.com and they sent me your way. Thanks in advance!
Is your feature request related to a problem? Please describe.
buildkite-agent 3.34.0 introduced new behavior, rejecting pipeline uploads that contain redacted variables. As of now, it's impossible to continue to redact variables and allow a pipeline with secrets to be uploaded. To me, these are two distinct features that should be controlled separately.
I realize that having a secret in a pipeline in plain text is clearly not a best practice, but sometimes it is difficult to track down, especially if you're working with dynamic pipelines.
Describe the solution you'd like
A new configuration flag like
reject_pipelines_with_secrets = falsethat will allow pipelines to be uploaded even if they contain secrets. It would probably make sense for some strong warnings still. Maybe even say that "uploading pipelines with redacted vars is deprecated and won't be supported in the next major version" kind of thing. Something that gives a transition period to identify the issues and remediate before rejecting them outright.Describe alternatives you've considered
If there are many pipelines that happen to upload with redacted vars, we need to update every single one ASAP (may not be possible to do in a timely manner)j, rollback the buildkite-agent version, or disable redacting vars, which still has a lot of value in hiding values in logs.
Additional context
I opened a ticket with support@buildkite.com and they sent me your way. Thanks in advance!