zmk icon indicating copy to clipboard operation
zmk copied to clipboard
verified publisher icon zmkfirmware

How to build ZMK firmware that includes secrets / sensitive information?

Open tobiasbueschel opened this issue 7 months ago • 5 comments

Hi and thanks for this fantastic project 👏

I'm trying to build a custom ZMK firmware for my split keyboard including sensitive macro strings and I'd like to avoid having these in a VCS or a public GitHub Action runner in plain sight - is there already a recommended pattern for this? (I've searched existing issues and StackOverflow).

Injecting secrets into GitHub Action

  • the current Build User Config Action does not support sending custom secrets nor do I know what the ZMK recommended way would be to include environment variables references within the .keymap file
  • example repo: https://github.com/tobiasbueschel/zmk-sofle-keyboard/blob/404526cff0c1069d8d7aed3e78e6e774088ddce7/.github/workflows/build.yml#L12-L14

Building locally

  • Would be great so that no sensitive information leaks, however, I was running into build errors with the recommended approach using Docker and also using https://github.com/nektos/act to run the GitHub Action job locally:
| OCI runtime exec failed: exec failed: unable to start container process: exec: "node": executable file not found in $PATH: unknown
[build/Reusable user config build/Build-5              ]   ❌  Failure - Main Archive (settings_reset - eyelash_sofle_right) [598.884167ms]
[build/Reusable user config build/Build-5              ] exitcode '126': failure

This error is probably just due to me having to configure act and node correctly within the Docker container it uses and I can figure it out in the next days. Just thought I mention building locally here given it's the most obvious solution for this idea.

Cheers

tobiasbueschel avatar Jul 22 '25 16:07 tobiasbueschel

Keeping sensitive information as macro strings should be discouraged, as this is not a secure method of storage. My advice to you would be to cease attempting to do so.

A secure storage possibility exists theoretically only for the time being, and would require quite a bit of development work.

nmunnich avatar Jul 22 '25 16:07 nmunnich

Thanks for the swift reply & definitely hear your concern!

A sensitive / private string that I'd like to use in a macro could also be an email or a phone number, which I need for my keyboard's firmware but not necessarily want to have within VCS or a public repo.

tobiasbueschel avatar Jul 22 '25 18:07 tobiasbueschel

The official documentation does not use act to run builds, please see https://zmk.dev/docs/development/local-toolchain/build-flash once you set up a toolchain (like with Docker).

I don't think I have come across anyone trying to set up secrets injection into GH workflow, unfortunately. Doing it within the official scope of the project would probably not be appropriate due to general security concerns, like Nick pointed out.

caksoylar avatar Jul 22 '25 18:07 caksoylar

I've also looked for a solution to this a couple of times, but haven't found anything. I have a couple of email adresses as macros, that I don't want in a public repo, which means I can't share my config publicly.

MattiasOlla avatar Aug 31 '25 22:08 MattiasOlla

Hello everyone! I've built ugly, but working implementation of the Secret Macro - docs are in my repo - https://github.com/wlo2/zmk-totem-dongle-secret-macro. Since the injection is only possible during the build, it can't be made into a module, only as a job.

wlo2 avatar Oct 12 '25 19:10 wlo2