How to sign JSONNET configurations


we would like to switch from .drone.yml to .drone.jsonnet but for security reasons we sign our configuration files. For .drone.jsonnet I don’t found a way to sign it.

Can you help me?


Drone does not support signing a jsonnet file.

The only option is to convert the jsonnet to yaml and then sign the resulting yaml, and the commit to the repository.

drone jsonnet --source=.drone.jsonnet --target=.drone.yaml
drone sign --save

Thanks for the info, doesn’t makes this the direct jsonnet useless at least for software with public pull requests like OSS?

Or is there another way to restrict the modification of the jsonnet?

I don’t think it makes jsonnet useless (which sounds a little melodramatic). There are many teams, including ours, that use jsonnet for public repositories that accept pull request.

yes, sorry you are right it was a bit too dramatic :wink:

but without signing it would allow a PR creator to get secret tokens for external services?

oh I think I found the answer my self, secrets can be protected to be used in pull requests… seems I missed this. Unfortunately that wouldn’t solve the problem for us because we need them to push prebuilt packages base on the pull request to an external storage…