User secret not found when triggering deployment

[philipkozeny]

Component

server, agent

Describe the bug

I am working on a pipeline configuration to enable each user to deploy to a server using their own private SSH key. These keys are intended to be stored as user secrets.

The users set up a user secret in their profile, named ssh_deploy_prod_key, containing their private SSH key.
The deployment is triggered through the web interface.

Problem: Despite this setup, the deployment fails because the pipeline does not seem to recognize or access the user secrets as intended. Every time a deployment is triggered, I encounter the error: Secret "ssh_deploy_prod_key" not found or not allowed to be used.

System Info

{"source":"https://github.com/woodpecker-ci/woodpecker","version":"2.2.2"}

Additional context

Here's part of the pipeline:

  deploy-prod:
    image: *deployer_image
    pull: true
    commands:
      - eval `ssh-agent -s` && echo $SSH_DEPLOY_PROD_KEY | base64 -d | ssh-add -
      - deploy.py deployment.prod.json
    secrets: [ssh_deploy_prod_key]
    when:
      - event: [deployment]

here's the error message: [generic] secret "ssh_deploy_prod_key" not found or not allowed to be used

here's the sqlite entry of the secret:

secret_id|secret_repo_id|secret_name|secret_value|secret_images|secret_events|secret_org_id
36|0|ssh_deploy_prod_key|asdf|[]|["deployment","push"]|4

The reference org is

id|name|is_user|private
4|my.username|1|0

Validations

• Read the docs.
• Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
• Checked that the bug isn't fixed in the next version already [https://woodpecker-ci.org/faq#which-version-of-woodpecker-should-i-use]

[anbraten]

Interesting. We currently have a similar issue where our org secret is not recognized in tag events. Will investigate into the issue.

[anbraten]

#3271 might help with identifying the issue.

[qwerty287]

@philipkozeny Can you check this again after #3271 has been merged?

[philipkozeny]

@qwerty287 running 2.3.0 there is no change, for user secrets I still get secret "ssh_deploy_key" not found - as soon as I add it as a secret to the repo or organization it works.

[qwerty287]

Can you check the column user.user_org_id? What's in there for your user?

[philipkozeny]

user_org_id
4

here is a secret for my user

secret_id|secret_repo_id|secret_name|secret_value|secret_images|secret_events|secret_org_id
43|0|testsecret|supersecret|[]|["deployment"]|4

[qwerty287]

Wait, your repo is owned by an organization?

as soon as I add it as a secret to the repo or organization

This is the idea behind user secrets, they only work for repos owned by your user.

[philipkozeny]

Wait, your repo is owned by an organization?

as soon as I add it as a secret to the repo or organization

This is the idea behind user secrets, they only work for repos owned by your user.

Oh ... yes it is. Sorry, since I did not find anything in the docs my understanding was that the user secrets are available to the pipeline if the users triggers that a run (e.g. for deployment). My fault!