Passing a secret during build

[devbugging]

Output of brew config

//

Output of brew doctor

//

Description of issue

I have a weird issue that I'm sure it must have been solved, however, I see no way of solving it. I have a tool written in Go, that requires an API key to connect to a service. We build this tool as part of our CD on Github and pass in the API key as a Github secret. That all works well. The problem is, using a homebrew formula to build the binary we can't pass in those values in a secure format, and I don't think they can access those secret values on GitHub. Is there any way to accomplish this? This values are not critical but would be better to stay as obfuscated as possible (I'm aware you could potentially reverse engineer the binary to find them, but our attempt is just to prevent them being in plain text).

[alebcay]

By default, the Homebrew build environment filters out all environment variables except for a select list that are allowed; any environment variable with a HOMEBREW_ prefix is also allowed to pass through.

Thus, in your CD, one thing you can try is to expose the API key as an environment variable that starts with HOMEBREW_, e.g. HOMEBREW_SUPER_SECRET_API_KEY. Then in the formula for your tool, this can be accessed as ENV["HOMEBREW_SUPER_SECRET_API_KEY"]. This should be sufficient for getting it into the build environment and whatever tooling you may be using during the build process.

Note that Homebrew also has some secondary filtering in place that may remove sensitive environment variables from the build environment. From your use case it doesn't sound like this filtering will block you, but just something to keep in mind if you run into issues.

More about Homebrew's environment variable filtering behaviors: https://docs.brew.sh/Formula-Cookbook#using-environment-variables

[devbugging]

Hey, so if I understand correclty we could push the built bottles to you using our CD pipeline?

[SMillerDev]

Definitely not. Homebrew builds it's own bottles in it's own CI. If you have a private tap you can set whatever variables you want.

[devbugging]

For your use case, it sounds like you should set up a workflow to do the actual building against the formula in your repo

Was that then meant to through context of a private tap?

The gap I don't quite understand is how our CD could pass the ENVs to the action that is being run in homebrew repo? we are using a makefile to build and I don't see how we could expose those vars to the makefile that is later used in your repo to build.

[carlocab]

The gap I don't quite understand is how our CD could pass the ENVs to the action that is being run in homebrew repo? we are using a makefile to build and I don't see how we could expose those vars to the makefile that is later used in your repo to build.

Yes, the point is that you can't. You'll need to create your own external tap to have access to your secrets during the build process.

[devbugging]

Yeah, I thought so. I mean I get the design decision behind this, I just had to learn the hard way :/ At the end you can always reverse engineer the binary so, in any case, is security by obscurity. But in our case the secrets are not critical so it made sense to just obfuscate.