Onboard
Introduction
Users
Teams
Introduction
IntroductionPromote an image in Amazon ECRRetrieve an object from Amazon S3Store an object on Amazon S3Copy Docker images with CraneDownload a file from JFrog ArtifactoryMove or copy an image from JFrog ArtifactoryUpload a file to JFrog ArtifactoryGet artifact detailsRegister a build artifactRegister a deployed environment artifact
IntroductionCreate or update a functionInvoke a function
IntroductionRun an AWS CodePipelineRun a Bamboo projectRun a Bitbucket pipelineRun a CloudBees CI jobRun a CircleCI workflowRun a GitHub Actions workflowRun a GitLab pipelineRun a Harness pipelineRun a Jenkins® jobRun a JFrog pipelineBuild and publish Docker images with KanikoRun a TeamCity project
Check out a Git repository
IntroductionAWS credentialsECR credentialsEKS credentialsGit global credentialsOCI credentials
IntroductionRun Ansible PlaybookDeploy with Argo WorkflowsDeploy with AWS CodeDeployDeploy a binary with Amazon EC2Deploy to ECSRender an Amazon ECS task definitionDeploy with AWS Elastic BeanstalkDeploy with HerokuDeploy with OctopusDeploy with OpenShiftDeploy with SpinnakerDeploy with Tosca
Publish evidence items
Fetch secrets from CyberArk Conjur
IntroductionHelm chart installHelm chart packageHelm chart publishHelm chart uninstall
IntroductionCreate a Kubernetes namespaceCreate/update a Kubernetes resourceDeploy to a Kubernetes cluster
IntroductionVerify with NewRelic
Execute remote commands via SSH
IntroductionAnchoreAquasecJFrog XraySnyk ContainerSonatype (Nexus) ContainerTrivy
IntroductionStackhawkZAP
IntroductionCheckmarxCheckovCoverity on PolarisFind Security BugsGitHub Security ScannerGosecGrypeMendNexus IQnjsscanSnykSonarQube bundledSonarQube
IntroductionBlack DuckMendSnyk
IntroductionGitleaksTruffleHog ContainerTruffleHog CodeTruffleHog S3
IntroductionCreate a change requestUpdate or close a change requestGet a change request current stateQuery a change request approval
Publish test results
Multi-workflows dispatch
Introduction
Manage workflows
Introductioncloudbees and other context objectsenvnameonpermissionsjobs.<job_id>.<job_id>.delegates.<job_id>.env.<job_id>.vars.<job_id>.secrets.<job_id>.environment.<job_id>.if.<job_id>.needs.<job_id>.outputs.<job_id>.permissionsjobs.<job_id>.uses.<job_id>.services.<job_id>.services.<service_id>.services.<service_id>.args.services.<service_id>.env.services.<service_id>.imagejobs.<job_id>.steps.<job_id>.steps[*].id.<job_id>.steps[*].env.<job_id>.steps[*].if.<job_id>.steps[*].name.<job_id>.steps[*].run.<job_id>.steps[*].shell.<job_id>.steps[*].uses.<job_id>.steps[*].with.<job_id>.steps[*].with.args.<job_id>.steps[*].with.entrypoint.<job_id>.steps[*].timeout-minutesjobs.<job_id>.timeout-minutes
An example workflow
Reusable workflows
Personal access tokens
Trigger a workflow using an API
IntroductionManual approval
Connect a repositoryCreate a workflowRun a scanPublish an image
Introduction
Learn about feature management
Create flags in code
Manage multiple SDK keys in your application
Create/manage flags in the UI
Namespaces and labels
Configure feature flags
Feature management custom roles
Flag approval requests and reviews
Audit history
Configuration as code
Flag impressions and activity status
Code references
Properties and custom properties
Target groups
Enabling secret mode
IntroductionAndroid / Android TV / Fire TVC/C++ (client-side)C/C++ (server-side)GoJavaJavaScript (browser) / Chromecast / TizenJavaScript SSR.NET/C#Node.jsiOS / tvOSPHPPythonReact NativeRuby
IntroductionClient-side AndroidClient-side C ClientClient-side C++ ClientClient-side JavaClient-side JavaScript (browser)Client-side .NET/C# clientClient-side Objective-CClient-side React NativeClient-side SwiftServer-side CServer-side C++Server-side GoServer-side JavaServer-side .NET/C#Server-side NodeJSServer-side PythonServer-side PHPServer-side RubyBoth client-side and server-side JavaScript SSR
IntroductionAndroid appAngular appDjango appGin appJava Spring Boot app.NET Core appReact appSwift iOS app

jobs.<job_id>.secrets

2 minute read

When a job calls a reusable workflow using uses:, you can control which secrets the called workflow can access by configuring jobs.<job_id>.secrets:

  • inherit — Make all secrets in the caller job’s scope available to the reusable workflow.

  • Mapping — Expose only specific secrets by mapping them one-by-one.

Use inherit with trusted reusable workflows only. If a job in the reusable workflow runs in an environment, environment-scoped secrets for that job are resolved and can override inherited or mapped values.

If a job sets environment using an expression (for example, ${{ inputs.env-prod }}), the environment name is resolved first, then environment-scoped secrets are evaluated for that job.

Inherit all secrets

In this example, caller-job invokes a reusable workflow and inherits all secrets from its scope.

Caller workflow
jobs:
  caller-job:
    uses: .cloudbees/workflows/a-reusable-workflow.yaml      (1)
    secrets: inherit                                          (2)
    inputs:
      env-prod: production                                    (3)
1 Calls a reusable workflow from the current repository.
2 Inherits all secrets from the caller job’s scope.
3 Passes an environment name as input to the reusable workflow (optional).
Reusable workflow
on:
  workflow_call:
    inputs:
      env-prod:
        type: string
        required: false

jobs:
  job-rw-1:
    steps:
      - name: Use inherited secrets
        run: |
          if [ -n "${{ secrets.secret-1 }}" ]; then echo "secret-1 available"; fi

  job-rw-2:
    environment: ${{ inputs.env-prod }}                       (4)
    steps:
      - name: Environment may override inherited values
        run: |
          # If the environment defines secret-1, it overrides the inherited value.
          if [ -n "${{ secrets.secret-1 }}" ]; then echo "secret-1 resolved (env may override)"; fi
1 Sets the job’s environment from the input; environment-scoped secrets are resolved for this job.

Map specific secrets

In this example, only two secrets are exposed to the reusable workflow. No other caller secrets are available.

Caller workflow
jobs:
  caller-job:
    uses: .cloudbees/workflows/a-reusable-workflow.yaml
    secrets:                                                 (1)
      secret-1: ${{ secrets.SECRET_A }}                      (2)
      secret-2: ${{ secrets.SECRET_B }}                      (3)
    inputs:
      env-prod: production
1 Uses mapping instead of inheritance.
2 Maps caller secret SECRET_A to secret-1 for the reusable workflow.
3 Maps caller secret SECRET_B to secret-2.
Reusable workflow
on:
  workflow_call:
    inputs:
      env-prod:
        type: string
        required: false

jobs:
  job-rw-1:
    steps:
      - name: Only mapped secrets are available
        run: |
          if [ -n "${{ secrets.secret-1 }}" ]; then echo "secret-1 available"; fi
          if [ -n "${{ secrets.secret-2 }}" ]; then echo "secret-2 available"; fi

  job-rw-2:
    environment: ${{ inputs.env-prod }}
    steps:
      - name: Environment may override mapped secrets
        run: |
          # If the environment defines secret-1/secret-2, those values override the mappings.
          if [ -n "${{ secrets.secret-1 }}" ]; then echo "secret-1 resolved (env may override)"; fi
          if [ -n "${{ secrets.secret-2 }}" ]; then echo "secret-2 resolved (env may override)"; fi

  • Do not combine secrets: inherit and secret mappings in the same job. Choose one approach.

  • Inheritance includes secrets available in the caller job’s scope. Environment-scoped secrets apply when a job in the reusable workflow runs in that environment.

  • For passing non-secret values, prefer inputs rather than secrets.
.<job_id>.vars
.<job_id>.environment