Hide services passwords in Cake Build

Question

I am using Cake build to build and deploy a project but in my script I have a few services passwords which I do not want to expose.

Is it possible to read the passwords from an external file (maybe JSON?) which I would not push to Github? So this file would be only in my computer.

Is there a standard way to do this with Cake?

Answer 1

The easiest way would be to store that password as an environment variable on the system you are running the build on. From there, you can then use the EnvironmentVariable alias to request that value, to then use it within your script:

http://cakebuild.net/api/Cake.Common/EnvironmentAliases/F508FA2B

This is how we store/use the secrets associated with the build process for Cake itself. See here for an example:

https://github.com/cake-build/cake/blob/develop/build/credentials.cake#L15

Taken from this link is the following code snippet:

public static BuildCredentials GetGitHubCredentials(ICakeContext context)
{
    return new BuildCredentials(
        context.EnvironmentVariable("CAKE_GITHUB_USERNAME"),
        context.EnvironmentVariable("CAKE_GITHUB_PASSWORD"));
}

Where we are reading two environment variables, the username and the password, which are then used later in the script execution.

NOTE: The presence of the context variable is due to the fact that we are doing the work in the helper function, where the main Cake Context was passed in as a parameter. This will not be required if you are accessing the Environment alias directly in one of your tasks.

Assuming you are using some form of Continuous Integration, then there will likely be a way either through a configuration file, or through a User Interface, to specify the values of these environment variables in a secure manner.