Hello! My name is Jerry, Senior Android Engineer / Team Lead @Carbon. Passionate about Mobile Development and DevOps.

Best Practices for Utilizing Secrets and Environment Variables on Bitrise

Introduction Env Vars and Secrets forms part of the basic building block of any CI/CD pipeline. Bitrise provides a robust out of the box solutions to tackle the challenges associated with using Env vars and Secrets in your build workflow. Understand the difference between Env Vars and Secrets. Env Vars vs. Secrets. Understand how to handle sensitive data such as API key in your code base. Handling Sensitive Data in codebase. Understand how to integrate secrets and environment variables seamlessly into your Bitrise workflows. Use Env Vars and Secrets in a workflow Gain insights into troubleshooting common issues related to secrets and environment. Troubleshooting and Debugging.

Env Vars (Key : Value) Env Var is a key value pair that holds data that you can use in your builds at various stages of the build including as a Step input.

Secrets (Key : Secured Value) Secrets are a specific type of Environment Variable: they hide their information in an encrypted format and their value is not exposed in the build logs. They aren't shown in the bitrise.yml configuration either. You can store confidential information, such as passwords or API keys as Secrets.

Important things to note about Env Vars and Secrets All Env Var and Secrets are stored as strings. 01 By default, the Env Var list size is 120 KB (Can be increased by using Script Steps) 02 The default size limit of an Env Var is 20 KB (Can be increased by using Script Steps) 03 Env Vars, unlike secrets, are fully exposed in builds triggered by pull requests so you should not add any sensitive information to Env Vars. 04

Important things to note about Env Vars and Secrets A Secret's protection can't be undone. Making a Secret protected is irreversible. 05 Once a Secret has been marked as protected, you can't expose it to pull request builds. 06 If your app is a public app, you can't expose the app's Secrets to pull requests builds. 07 You can't use a newly created Environment Variable in the same Step in which it was created, it takes effect from the subsequent steps. 08

Use Env Vars in your Workflows At this stage, the user declares the Env Var/Secrets. Bitrise will create it. Declaration At this stage, Bitrise processes the Env Vars / Secretes. Processing At this stage, the Env Var / Secrete is expose for read Expose At this stage, the Env Var / Secrete is available for use Available

Declaration Users can declare Env Vars at 3 different levels: ● App Level ● Workflow Level ● Step Level Users can set secrets using the Secrets tab or by modifying the input value of a Step marked as SENSITIVE Guides on how to do this are available on the Bitrise documentation.

Declare Env Vars (App Level) On the top right hand side, click on the button labelled: ⌘ + S 5 A new key and value input field will show up, add the Env Var key and the value accordingly. 4 Click on: Add New 3 Scroll to section labelled: App Environment Variables 2 From the workflow Editor, Click on $ Env Vars 1

Declare Env Vars (Workflow Level) On the top right hand side, click on the button labelled: ⌘ + S 5 A new key and value input field will show up, add the Env Var key and the value accordingly. 4 Click on: Add New 3 Scroll to section labelled: X-Workflow Environment Variables for required workflow 2 From the workflow Editor, Click on $ Env Vars 1

Declare Env Vars (Step Level) On the top right hand side, click on the button labelled: ⌘ + S 5 Find the Env Var or Secret from the List and add it or create a new one for Secrets 3 Click on Insert variable for Env Var or Select Secret Variable for Secrets 2 From the workflow Editor, Click on, Select any step that uses Env Var / Secret 1

You can set Environment Variables, regardless of level, in both the Workflow Editor, in your app's bitrise.yml file, or during a build with a custom Script using the envman tool

Use Case 1: Using Env Var / Secret in the value of an Env Var / Secret You can, at any time, use another Env Var/Secret in the value of an Env Var/Secret - embedding the Env Var/Secret.

All Env Vars have the is_expand property in the bitrise.yml. On the UI, this is represented by the Replace variables in inputs? toggle. We do NOT recommend enabling it, unless the value of your Env Var or Secret is another Env Var or Secret.

No content

Use Case 2: Setting and managing Env Vars during a build You can modify Env Var and Secrets during a build using a combination of Script Step and envman tool. Envman tools help you to read and write to Bitrise Env Vars and Secret among other things. You can call the envman from anywhere in the code as long as call it from a bitrise build.

No content

Use Case 2: Reading Env Vars / Secret from a common file There could be a need to read all our Env Vars / Secrets from one file such as local.properties for Java/Kotlin or .env file for Javascript. You can export all the needed Env Vars or Secret to the file before the build phase that needs it. Usually after repository clone and build environment setup.

No content

Workflow Step Script Workflow Step Script (./scripts/secrets)

Handling Sensitive Data

● Use secured code management (SCM) system. ● Store sensitive data and code separately from your codebase. ● Decide where these sensitive data will be stored. ● Ensure secure connection between the source of data and your CI/CD. ● Implement proper access control and decide who should have access to the sensitive data. ● Ensure all sensitive data are stored as secret and encrypted. ● Test and scan your code and environment regularly.

Troubleshooting and Debugging

THank You! Q&A

Useful links ● https://devcenter.bitrise.io/en/builds/environment-v ariables.html ● https://devcenter.bitrise.io/en/builds/secrets.html ● Github project: https://github.com/jerryOkafor/Bitrise_Mobile_DevOp s_Summit_2023 ●