Build secrets

You might have API keys, access tokens, or other secrets that your app needs to consume — either at run time or during a build. However, you might not want to check these secrets into your source code to make them available to your app.

In order to securely propagate your credentials to your build and app, buddybuild provides three sets of variables that you can define:

  1. Environment Variables (made available to your build time scripts)

  2. Device Variables (available to your app at run time via the buddybuild SDK)

  3. Secure Files (files made available to your build time scripts)

If your app involves cross-repository pull requests, which are pull requests against a fork of your repository, buddybuild does not expose any secure environment variables, device variables, or secure files during cross-repository builds. By default, such secrets are only available to pull requests coming from the same organization and repository.

As such a restriction may impact your app’s development workflow, buddybuild’s dashboard allows you to specify which forked repositories to build when pull requests are created. See Cross-repository pull requests for details.


Enabling cross-repository pull request builds means that you trust the forked repositories and their users. Trusting a forked repository increases your security risk. When you configure buddybuild to build pull requests, users with access to the forked repository can create a pull request that adds/changes a custom build step such that it can capture secrets, source code, etc., and can potentially be used to gain full access to your main repository.

results matching ""

    No results matching ""