Make `dotenv` artifacts undownloadable (useful for secrets management)
Proposal
dotenv
artifacts are a great way to dynamically configure variables for future jobs. Since they're downloadable artifacts though they're not safe for secret information such as AWS access keys, Hashicorp Vault tokens, etc.
I propose that dotenv artifacts can be marked optionally 'un-downloadable' which would make it safe for dotenv artifacts to contain secret information.
Example CI file:
stages:
- fetch secrets
- build
get secrets from vault:
stage: fetch secrets
script:
- 'echo "TOP_SECRET_INFO: hi" > env'
artifacts:
reports:
dotenv:
file: env
downloadable: false
build:
stage: build
script:
- echo $TOP_SECRET_INFO