Refactor secrets management

antonmedv · antonmedv · commit 068121a953e3 · 2026-04-02T18:32:18.000+02:00
diff --git a/docs/api.md b/docs/api.md
@@ -234,7 +234,7 @@ run(
     ?string $cwd = null,
     ?array  $env = null,
     #[\SensitiveParameter]
-    ?string $secret = null,
+    ?array  $secrets = null,
     ?bool   $nothrow = false,
     ?bool   $forceOutput = false,
     ?int    $timeout = null,
@@ -249,7 +249,7 @@ Examples:
 ```php
 run('echo hello world');
 run('cd {{deploy_path}} && git status');
-run('password %secret%', secret: getenv('CI_SECRET'));
+run('password %my_secret%', secrets: ['my_secret' => getenv('SECRET')]);
 run('curl medv.io', timeout: 5);
 ```
 
@@ -266,7 +266,7 @@ run("echo $path");
 | `$cwd` | `string` or `null` | Sets the process working directory. If not set {{working_path}} will be used. |
 | `$timeout` | `int` or `null` | Sets the process timeout (max. runtime). The timeout in seconds (default: 300 sec; see {{default_timeout}}, `null` to disable). |
 | `$idleTimeout` | `int` or `null` | Sets the process idle timeout (max. time since last output) in seconds. |
-| `$secret` | `string` or `null` | Placeholder `%secret%` can be used in command. Placeholder will be replaced with this value and will not appear in any logs. |
+| `$secrets` | `array` or `null` | Placeholder `%secret%` for sensitive information. |
 | `$env` | `array` or `null` | Array of environment variables: `run('echo $KEY', env: ['key' => 'value']);` |
 | `$forceOutput` | `bool` or `null` | Print command output in real-time. |
 | `$nothrow` | `bool` or `null` | Don't throw an exception of non-zero exit code. |
diff --git a/recipe/provision/databases.php b/recipe/provision/databases.php
@@ -39,8 +39,8 @@
 desc('Provision MySQL');
 task('provision:mysql', function () {
     run('apt-get install -y mysql-server', env: ['DEBIAN_FRONTEND' => 'noninteractive'], timeout: 900);
-    run("mysql --user=\"root\" -e \"CREATE USER IF NOT EXISTS '{{db_user}}'@'0.0.0.0' IDENTIFIED BY '%secret%';\"", secret: get('db_password'));
-    run("mysql --user=\"root\" -e \"CREATE USER IF NOT EXISTS '{{db_user}}'@'%' IDENTIFIED BY '%secret%';\"", secret: get('db_password'));
+    run("mysql --user=\"root\" -e \"CREATE USER IF NOT EXISTS '{{db_user}}'@'0.0.0.0' IDENTIFIED BY '%db_password%';\"", secrets: ['db_password' => get('db_password')]);
+    run("mysql --user=\"root\" -e \"CREATE USER IF NOT EXISTS '{{db_user}}'@'%' IDENTIFIED BY '%db_password%';\"", secrets: ['db_password' => get('db_password')]);
     run("mysql --user=\"root\" -e \"GRANT ALL PRIVILEGES ON *.* TO '{{db_user}}'@'0.0.0.0' WITH GRANT OPTION;\"");
     run("mysql --user=\"root\" -e \"GRANT ALL PRIVILEGES ON *.* TO '{{db_user}}'@'%' WITH GRANT OPTION;\"");
     run("mysql --user=\"root\" -e \"FLUSH PRIVILEGES;\"");
@@ -50,8 +50,8 @@
 desc('Provision MariaDB');
 task('provision:mariadb', function () {
     run('apt-get install -y mariadb-server', env: ['DEBIAN_FRONTEND' => 'noninteractive'], timeout: 900);
-    run("mysql --user=\"root\" -e \"CREATE USER IF NOT EXISTS '{{db_user}}'@'0.0.0.0' IDENTIFIED BY '%secret%';\"", secret: get('db_password'));
-    run("mysql --user=\"root\" -e \"CREATE USER IF NOT EXISTS '{{db_user}}'@'%' IDENTIFIED BY '%secret%';\"", secret: get('db_password'));
+    run("mysql --user=\"root\" -e \"CREATE USER IF NOT EXISTS '{{db_user}}'@'0.0.0.0' IDENTIFIED BY '%db_password%';\"", secrets: ['db_password' => get('db_password')]);
+    run("mysql --user=\"root\" -e \"CREATE USER IF NOT EXISTS '{{db_user}}'@'%' IDENTIFIED BY '%db_password%';\"", secrets: ['db_password' => get('db_password')]);
     run("mysql --user=\"root\" -e \"GRANT ALL PRIVILEGES ON *.* TO '{{db_user}}'@'0.0.0.0' WITH GRANT OPTION;\"");
     run("mysql --user=\"root\" -e \"GRANT ALL PRIVILEGES ON *.* TO '{{db_user}}'@'%' WITH GRANT OPTION;\"");
     run("mysql --user=\"root\" -e \"FLUSH PRIVILEGES;\"");
@@ -62,6 +62,6 @@
 task('provision:postgresql', function () {
     run('apt-get install -y postgresql postgresql-contrib', env: ['DEBIAN_FRONTEND' => 'noninteractive'], timeout: 900);
     run("sudo -u postgres psql <<< $'CREATE DATABASE {{db_name}};'");
-    run("sudo -u postgres psql <<< $'CREATE USER {{db_user}} WITH ENCRYPTED PASSWORD \'%secret%\';'", secret: get('db_password'));
+    run("sudo -u postgres psql <<< $'CREATE USER {{db_user}} WITH ENCRYPTED PASSWORD \'%db_password%\';'", secrets: ['db_password' => get('db_password')]);
     run("sudo -u postgres psql <<< $'GRANT ALL PRIVILEGES ON DATABASE {{db_name}} TO {{db_user}};'");
 });
diff --git a/recipe/provision/user.php b/recipe/provision/user.php
@@ -32,8 +32,8 @@
         // Make color prompt.
         run("sed -i 's/#force_color_prompt=yes/force_color_prompt=yes/' /home/deployer/.bashrc");
 
-        $password = run("mkpasswd -m sha-512 '%secret%'", secret: get('sudo_password'));
-        run("usermod --password '%secret%' deployer", secret: $password);
+        $password = run("mkpasswd -m sha-512 '%password%'", secrets: ['password' => get('sudo_password')]);
+        run("usermod --password '%password%' deployer", secrets: ['password' => $password]);
 
         // Copy root public key to deployer user so user can login without password.
         run('cp /root/.ssh/authorized_keys /home/deployer/.ssh/authorized_keys');
diff --git a/src/ProcessRunner/ProcessRunner.php b/src/ProcessRunner/ProcessRunner.php
@@ -21,6 +21,7 @@
 
 use function Deployer\Support\deployer_root;
 use function Deployer\Support\env_stringify;
+use function Deployer\Support\replace_secrets;
 
 class ProcessRunner
 {
@@ -43,12 +44,6 @@ public function run(Host $host, string $command, RunParams $params): string
             $terminalOutput($type, $buffer);
         };
 
-        if (!empty($params->secrets)) {
-            foreach ($params->secrets as $key => $value) {
-                $command = str_replace('%' . $key . '%', $value, $command);
-            }
-        }
-
         if (!empty($params->env)) {
             $env = env_stringify($params->env);
             $command = "export $env; $command";
@@ -59,7 +54,7 @@ public function run(Host $host, string $command, RunParams $params): string
         }
 
         $process = Process::fromShellCommandline($params->shell)
-            ->setInput($command)
+            ->setInput(replace_secrets($command, $params->secrets))
             ->setTimeout($params->timeout)
             ->setIdleTimeout($params->idleTimeout)
             ->setWorkingDirectory($params->cwd ?? deployer_root());
diff --git a/src/Ssh/SshClient.php b/src/Ssh/SshClient.php
@@ -20,6 +20,7 @@
 use Symfony\Component\Process\Process;
 
 use function Deployer\Support\env_stringify;
+use function Deployer\Support\replace_secrets;
 
 class SshClient
 {
@@ -62,19 +63,13 @@ public function run(Host $host, string $command, RunParams $params): string
             $command = "export $env; $command";
         }
 
-        if (!empty($params->secrets)) {
-            foreach ($params->secrets as $key => $value) {
-                $command = str_replace('%' . $key . '%', strval($value), $command);
-            }
-        }
-
         $this->pop->command($host, 'run', $command);
         $this->logger->log("[{$host->getAlias()}] run $command");
 
 
         $process = new Process($ssh);
         $process
-            ->setInput($command)
+            ->setInput(replace_secrets($command, $params->secrets))
             ->setTimeout($params->timeout)
             ->setIdleTimeout($params->idleTimeout);
 
diff --git a/src/Support/helpers.php b/src/Support/helpers.php
@@ -65,6 +65,16 @@ function ($key, $value) {
     ));
 }
 
+function replace_secrets(string $command, ?array $secrets): string
+{
+    if (!empty($secrets)) {
+        foreach ($secrets as $key => $value) {
+            $command = str_replace('%' . $key . '%', strval($value), $command);
+        }
+    }
+    return $command;
+}
+
 function is_closure(mixed $var): bool
 {
     return is_object($var) && ($var instanceof \Closure);
diff --git a/src/functions.php b/src/functions.php
@@ -367,7 +367,7 @@ function within(string $path, callable $callback): mixed
  * ```php
  * run('echo hello world');
  * run('cd {{deploy_path}} && git status');
- * run('password %secret%', secret: getenv('CI_SECRET'));
+ * run('password %my_secret%', secrets: ['my_secret' => getenv('SECRET')]);
  * run('curl medv.io', timeout: 5);
  * ```
  *
@@ -380,7 +380,7 @@ function within(string $path, callable $callback): mixed
  * @param string|null $cwd Sets the process working directory. If not set {{working_path}} will be used.
  * @param int|null $timeout Sets the process timeout (max. runtime). The timeout in seconds (default: 300 sec; see {{default_timeout}}, `null` to disable).
  * @param int|null $idleTimeout Sets the process idle timeout (max. time since last output) in seconds.
- * @param string|null $secret Placeholder `%secret%` can be used in command. Placeholder will be replaced with this value and will not appear in any logs.
+ * @param array|null $secrets Placeholder `%secret%` for sensitive information.
  * @param array|null $env Array of environment variables: `run('echo $KEY', env: ['key' => 'value']);`
  * @param bool|null $forceOutput Print command output in real-time.
  * @param bool|null $nothrow Don't throw an exception of non-zero exit code.
@@ -394,7 +394,7 @@ function run(
     ?string $cwd = null,
     ?array  $env = null,
     #[\SensitiveParameter]
-    ?string $secret = null,
+    ?array  $secrets = null,
     ?bool   $nothrow = false,
     ?bool   $forceOutput = false,
     ?int    $timeout = null,
@@ -408,7 +408,7 @@ function run(
         timeout: $timeout ?? get('default_timeout', 300),
         idleTimeout: $idleTimeout,
         forceOutput: $forceOutput,
-        secrets: empty($secret) ? null : ['secret' => $secret],
+        secrets: $secrets,
     );
 
     $dotenv = get('dotenv', false);
@@ -469,7 +469,7 @@ function run(
  * @param string|null $cwd Sets the process working directory. If not set {{working_path}} will be used.
  * @param int|null $timeout Sets the process timeout (max. runtime). The timeout in seconds (default: 300 sec, `null` to disable).
  * @param int|null $idleTimeout Sets the process idle timeout (max. time since last output) in seconds.
- * @param string|null $secret Placeholder `%secret%` can be used in command. Placeholder will be replaced with this value and will not appear in any logs.
+ * @param array|null $secrets Placeholder `%secret%` for sensitive information.
  * @param array|null $env Array of environment variables: `runLocally('echo $KEY', env: ['key' => 'value']);`
  * @param bool|null $forceOutput Print command output in real-time.
  * @param bool|null $nothrow Don't throw an exception of non-zero exit code.
@@ -485,7 +485,7 @@ function runLocally(
     ?int    $timeout = null,
     ?int    $idleTimeout = null,
     #[\SensitiveParameter]
-    ?string $secret = null,
+    ?array  $secrets = null,
     ?array  $env = null,
     ?bool   $forceOutput = false,
     ?bool   $nothrow = false,
@@ -499,7 +499,7 @@ function runLocally(
         timeout: $timeout,
         idleTimeout: $idleTimeout,
         forceOutput: $forceOutput,
-        secrets: empty($secret) ? null : ['secret' => $secret],
+        secrets: $secrets,
     );
 
     $process = Deployer::get()->processRunner;
