Can drone/drone image support _FILE for env var secrets


Firstly, thanks for the wonderful software!

I am using Docker Swarm to deploy Drone. Swarm forces users to inject secrets as files on the file system, into /run/secrets/mycoolsecret, for example, and then some images publishers support a _FILE postfix for their environment variables so as to support Swarm users.

See how Mariadb handles this:

So, concretely, for Drone, I’d like to see the following available:


So that I can do something like:

    image: "drone/drone:1.8.0"
    - "data:/data"
    - DRONE_GITEA_CLIENT_SECRET_FILE: /run/secrets/gitea_client_secret

I’ve raised this issue also recently for the invoiceninja image:



You can store secrets in a file and load using the method described here:

1 Like

also, some more background, we use a library to read environment files into Go structures. I formally requested them to support the _FILE convention however they did not seem interested. It would certainly help if people voted on / commented on the issue to try and convince them:

1 Like

Thanks! Commented on the issue :+1:


may I ask for some update on this issue? The linked solutions by @bradrydzewski seem outdated (404).

What’s the current recommended way to use Docker secrets instead of hardcoded (unsafe) tokens in a docker-compose file to run Drone?

My Docker secrets are working fine, but I can’t find a way to start Drone using them, only complicated workarounds with custom container entry scripts to manually read Docker secrets and then manually create the required ENV vars.

Am I right that it’s something still not officially implemented by Drone? Should I open a Feature Request? I don’t want to store my tokens in a file on my VPS.

I thought it’s simple as:

      - drone_gh_client_id
      - drone_gh_client_secret
      - drone_rpc_secret
      DRONE_GITHUB_CLIENT_ID: /run/secrets/drone_gh_client_id
      DRONE_GITHUB_CLIENT_SECRET: /run/secrets/drone_gh_client_secret
      DRONE_RPC_SECRET: /run/secrets/drone_rpc_secret

Thank you!