Environment Variables
Secrets and settings
Environment Variables
Securely manage secrets and configuration for your BambooSnow agents using environment variables.
Overview
Environment variables let you:
- Store API keys and secrets securely
- Configure agent behavior without code changes
- Use different values per environment
- Reference external service credentials
Setting Environment Variables
Via Dashboard
- Navigate to Settings > Environment Variables
- Click Add Variable
- Enter the name and value
- Choose the scope (repository or organization)
- Click Save
Via API
curl -X POST https://api.bamboosnow.com/v1/env \
-H "Authorization: Bearer YOUR_API_KEY" \
-d '{
"name": "SLACK_WEBHOOK",
"value": "https://hooks.slack.com/...",
"scope": "repository",
"repository": "owner/repo"
}'
Via CLI
bamboosnow env set SLACK_WEBHOOK "https://hooks.slack.com/..."
bamboosnow env set API_KEY "secret-key" --secret
Using Environment Variables
Reference variables in your configuration:
# .bamboosnow/config.yml
notifications:
slack:
webhook_url: ${SLACK_WEBHOOK}
agents:
- name: custom-agent
config:
api_key: ${EXTERNAL_SERVICE_API_KEY}
endpoint: ${EXTERNAL_SERVICE_URL}
Variable Scopes
Repository Scope
Variables available only to a specific repository:
scope: repository
repository: owner/repo
Organization Scope
Variables available to all repositories in an organization:
scope: organization
organization: your-org
Environment Scope
Different values for different environments:
environments:
production:
API_URL: https://api.production.com
LOG_LEVEL: warn
staging:
API_URL: https://api.staging.com
LOG_LEVEL: debug
Secret Variables
Mark sensitive values as secrets:
bamboosnow env set DATABASE_PASSWORD "secret" --secret
Secret variables:
- Are encrypted at rest
- Never appear in logs
- Are masked in the UI
- Cannot be read via API (only set)
Built-in Variables
BambooSnow provides these variables automatically:
| Variable | Description |
|----------|-------------|
| BAMBOOSNOW_REPO | Repository name (owner/repo) |
| BAMBOOSNOW_BRANCH | Current branch name |
| BAMBOOSNOW_PR_NUMBER | Pull request number (if applicable) |
| BAMBOOSNOW_COMMIT_SHA | Current commit SHA |
| BAMBOOSNOW_RUN_ID | Unique ID for this agent run |
| BAMBOOSNOW_AGENT_NAME | Name of the running agent |
Best Practices
Naming Conventions
# Good
STRIPE_API_KEY
DATABASE_URL
SLACK_WEBHOOK_URL
# Avoid
key
secret
myvar
Organization
Group related variables:
# Slack integration
SLACK_WEBHOOK_URL
SLACK_CHANNEL
SLACK_BOT_TOKEN
# Database
DATABASE_URL
DATABASE_POOL_SIZE
DATABASE_SSL_MODE
# External APIs
GITHUB_TOKEN
JIRA_API_KEY
PAGERDUTY_TOKEN
Security
- Never commit secrets to your repository
- Rotate secrets regularly
- Use the minimum required permissions
- Audit secret access periodically
Syncing with External Secret Managers
Integrate with external secret managers:
AWS Secrets Manager
secrets:
provider: aws-secrets-manager
path: bamboosnow/production
sync_interval: 1h
HashiCorp Vault
secrets:
provider: vault
address: https://vault.company.com
path: secret/bamboosnow
auth:
method: token
token: ${VAULT_TOKEN}
GitHub Secrets
secrets:
provider: github
inherit: true # Use repository secrets
Variable Validation
Validate variables are set correctly:
required_variables:
- name: DATABASE_URL
pattern: "^postgres://.*"
message: "DATABASE_URL must be a valid PostgreSQL URL"
- name: API_KEY
min_length: 32
message: "API_KEY must be at least 32 characters"