CI/CD 管道需要 secrets(API 密钥、部署凭证、数据库密码、令牌)来构建和部署——但以不安全的方式处理它们是一个严重的风险。正确的 secrets 管理在整个管道中保持凭证安全。
问题:secrets 永远不应该被暴露
text
Pipelines need credentials, but secrets are a major security risk if mishandled:
⚠️ NEVER hardcode secrets in code, pipeline config files, or commit them to Git
(committed secrets are exposed in history — even if "removed" later)
⚠️ NEVER print secrets in logs (pipeline logs may be visible/stored)
→ Leaked CI/CD secrets (deploy keys, cloud credentials) can compromise entire systems.
正确的 secrets 处理
text
✓ Use the CI/CD platform's SECRETS STORE — encrypted secrets injected as env vars at
runtime (GitHub Actions Secrets, GitLab CI variables, etc.) — NOT in the config file
✓ Use dedicated SECRETS MANAGERS — HashiCorp Vault, AWS Secrets Manager, etc.
(fetch secrets at runtime; centralized, audited, rotatable)
✓ Reference secrets by NAME in the pipeline; the platform injects the value securely:
