[Question] What is best way to pass password and secrets to runtime

[IlfirinPL]

Currently, variables and environment variables are stored in the robot.toml file, which is kept in the Git repository. This poses a significant risk if any passwords or secrets are accidentally committed.

A safer approach is to separate secrets from the main configuration by:

• Creating a file such as robot.toml.local that contains environment variables and passwords.
• Adding this file to .gitignore so it is not tracked by Git and does not get committed to the repository.
• Configuring the application to load or override settings from robot.toml.local during runtime.

[bhirsz]

I believe it's incorrect repository for this issue, did you mean https://github.com/robotcodedev/robotcode ? I'm asking since it's robotcode which can be used to define your configuration used to run Robot Framework.

But to answer the question anyway - there are several ways of dealing with secrets. Usually they are either encypted (with git encrypt) or stored externally (in vault , jenkins/github/whatever secrets) and set as environment variables in your runner. Locally they can be sourced into git ignored files like you mentioned, to prevent commiting them. Additionaly you can add simple Python script run on pre-commit to detect if someone accidentally commited something that looks like a secret.

As you may see the topic is broad and it depend on your needs.. if the question was actually directed at Robocop we may think about some rules to help with secrets. For example security rules that would detect if someone keeps secret-like variables. But such rule would be prone to false positive warnings.

[IlfirinPL]

Thank you for response, I agree that should be in https://github.com/robotcodedev/robotcode
I think I need extra documentation or extra feature that allow to extend robot.toml