Intuition

One of my master branch deployment pipeline failed due to the following:

1
2
3

$ if [ -f "$SECRET_DETECTION_REPORT_FILE" ]; then # collapsed multi-line command
Vulnerabilities detected. Please analyze the artifact gl-secret-detection-report.json produced by the 'secret-detection' job.
Exiting with status 80 due to detected vulnerabilities.

2025-05-19T120315

You can find information about this pipline validation failure on this post of GovCMS knowledge base: https://www.govcms.support/support/solutions/articles/51000438343-secret-detection-and-troubleshooting. In general, GovCMS checks your filebase to verify if it contains a “secret”, a secret can be one of the following:

For my instance, the pipline failure because I have the following in my theme’s theme-name.libraries.yml file:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

google-maps:
   version: 1.x
     js:
       //maps.google.com/maps/api/js?key=QWERTYUIOP: {type: external}    ◀---------{HERE}

geofield-map:
  version: 1.x
  js:
     js/dist/geofield-map.js: {}
  dependencies:
     - core/jquery
     - core/once
     - core/drupal
     - core/drupalSettings
     - theme-name/google-maps

Resolution Method

Local / Development Environment

Since the secrets will be held at the Lagoon level on the GovCMS platform, they will not be available on your local environment automatically. Instead you will need to add these locally in an override file for your local website to access them. In your repository’s root directory, create a file named docker-compose.override.yml This file is a local only file that you should NOT commit to your git repository. If it isn’t already, be sure to add it to your .gitignore file. In this file, you can define what will become your secret variables: docker-compose.override.yml

1
2
3
4

+ services:
+  php:
+    environment:
+      GOOGLE_MAPS_API_KEY: 'QWERTYUIOP'

And for my instance, I need to remove this from the original theme-name.libraries.yml file:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

google-maps:
  version: 1.x
-       //maps.google.com/maps/api/js?key=QWERTYUIOP: {type: external}

geofield-map:
  version: 1.x
  js:
    js/dist/geofield-map.js: {}
  dependencies:
    - core/jquery
    - core/once
    - core/drupal
    - core/drupalSettings
    - theme-name/google-maps

And access the environmental varaible and add the JavaScript path via the hook_library_info_build hook (if you are creating new library) OR hook_library_info_alter hook (if you are overriding existing library) in the your theme-name.theme PHP file:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

...
...
+ function themename_library_info_alter(&$libraries, $extension) {
+     $environment_google_maps_api_key = getenv('GOOGLE_MAPS_API_KEY');
+     $js_path = "//maps.google.com/maps/api/js?key=" . $environment_google_maps_api_key;
+     $attachments['#attached']['drupalSettings']['googleMapsApiKey'] = $environment_google_maps_api_key;
+     if (isset($libraries['google-maps'])) {
+        $libraries["google-maps"]["js"] = [$js_path => ['type' => 'external']];
+        return $libraries;
+    }
+ }
...
...

(Optional: if such environental variable is required to be accessed from a JavaScript file, you can attach it to the drupalSettings object using the page_attachments_alter hook in your theme:

1
2
3

function THEME_page_attachments_alter(array &$attachments) {
  $attachments['#attached']['drupalSettings']['GOOGLE_MAPS_API_KEY'] = getenv('GOOGLE_MAPS_API_KEY');
}

then access it via the following in your JavaScript:

1
2
3

function get_environmental_variable_example(){
	console.log(window.drupalSettings.GOOGLE_MAPS_API_KEY);
}

Production Environment

Since docker-compose.override.yml is ignored to be pushed into the remote in .gitignore file, the production will not be able to set its environmental variable the same way as your local does. If you are in a GovCMS environment you may add your environmental variable in your “Lagoon Dashboard” (see below screenshot), but depending on your deploying environment this may vary.

2025-05-19T130334

Reference