Skip to content

Allow decodeBase64 to work with nested variables#2777

Draft
somiljain2006 wants to merge 3 commits intojenkinsci:masterfrom
somiljain2006:fix/recursive-decodebase64
Draft

Allow decodeBase64 to work with nested variables#2777
somiljain2006 wants to merge 3 commits intojenkinsci:masterfrom
somiljain2006:fix/recursive-decodebase64

Conversation

@somiljain2006
Copy link
Copy Markdown
Contributor

@somiljain2006 somiljain2006 commented Feb 1, 2026
edited
Loading

Allow decodeBase64 to work correctly when its input is resolved from another secret source (e.g., environment variables), instead of failing during configuration loading.

Fixes #2488

Testing Done

  • Automated Testing: Added regression tests covering recursive secret resolution using decodeBase64, including SSH credentials.
  • Interactive Testing: Verified via a local Jenkins instance that configuration loading proceeds without failure and that the decoded SSH private key is correctly stored as a credential.

Your checklist for this pull request

🚨 Please review the guidelines for contributing to this repository.

  • Make sure you are requesting to pull a topic/feature/bugfix branch (right side) and not your master branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or in Jenkins JIRA
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Did you provide a test case? That demonstrates a feature that works or fixes the issue.

@somiljain2006 somiljain2006 requested a review from a team as a code owner February 1, 2026 06:54
timja
timja requested changes Feb 1, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@timja timja left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we want this it seems to be workarounds for something that needs cleaning up elsewhere.

I haven't looked at this in detail and don't have the answer but I don't think this is the solution

Comment thread plugin/src/main/java/io/jenkins/plugins/casc/SecretSourceResolver.java Outdated
Comment thread plugin/src/main/java/io/jenkins/plugins/casc/SecretSourceResolver.java Outdated
Comment thread plugin/src/main/java/io/jenkins/plugins/casc/SecretSourceResolver.java Outdated
@somiljain2006
Copy link
Copy Markdown
Contributor Author

somiljain2006 commented Feb 1, 2026

Thanks for the feedback. I initially chose this approach because the crash occurs when decodeBase64 is evaluated eagerly on unresolved variables. My goal was to handle that specific exception so the multi-pass resolver could continue and resolve the inner variable.

However, I agree that patching the lookup feels like a workaround and that the issue should be addressed more cleanly. I will close this PR for now to propose a better solution and will return with a new proposal once I have it.

@somiljain2006 somiljain2006 marked this pull request as draft February 1, 2026 18:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@timja timja timja requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

decodeBase64 it not working in casc secrets

2 participants

@somiljain2006 @timja