Use Cloud Build secret mechanisms for sensitive environment variables

[coderabbitai]

Description

Pre-signed upload URLs and other sensitive values are currently passed as plaintext environment variables to Cloud Build jobs in src/pkg/cli/client/byoc/gcp/byoc.go. This exposes them to anyone who can view build configs or logs based on GCP IAM permissions.

Affected Variables

The following sensitive environment variables should be protected:

• DEFANG_STATES_UPLOAD_URL - Pre-signed URL for states upload (lines 381-383)
• DEFANG_EVENTS_UPLOAD_URL - Pre-signed URL for events upload (lines 385-387)
• PULUMI_CONFIG_PASSPHRASE - Has existing TODO comment (line 359)
• Backend URL variable - Has existing TODO comment

Recommendation

Use Cloud Build's secretEnv with Secret Manager or KMS to protect these values instead of passing them as plaintext environment variables.

Context

These URLs are dynamically generated by fabric.CreateUploadURL() and are pre-signed capability URLs scoped to specific files. The codebase already has TODO: make secret comments for similar sensitive values, indicating this is a known pattern needing remediation.

References

• PR: Get urls and pass to CD for states and events uploading #1764
• Discussion: Get urls and pass to CD for states and events uploading #1764 (comment)
• Requested by: @edwardrf