Bitbucket Pipelines - Automated Setup

Set up Bitbucket Pipelines variables from the SikkerKey dashboard using OAuth.

SikkerKey can automatically configure your Bitbucket repository for CI/CD -- generating a machine identity, pushing pipeline variables, and adding the pipeline file -- all from the dashboard. No CLI commands, no copying credentials, no touching Bitbucket Settings.

How It Works

  1. From the dashboard, go to Integrations and expand Bitbucket Pipelines
  2. Click Connect Bitbucket to authorize SikkerKey via OAuth
  3. Select a repository, a SikkerKey project, and which secrets to grant access to
  4. Choose whether to add the pipeline file via pull request or direct commit
  5. Click Set up

SikkerKey handles everything:

  • Generates an Ed25519 keypair for the CI machine
  • Registers and auto-approves the machine
  • Grants access to your selected secrets
  • Pushes four pipeline variables (SIKKERKEY_VAULT_ID, SIKKERKEY_MACHINE_ID, SIKKERKEY_PRIVATE_KEY_B64, SIKKERKEY_PROJECT_ID) to your repository
  • Optionally commits the pipeline file or opens a pull request

PEM Key Encoding

Bitbucket pipeline variables cannot contain line breaks. The private key is base64-encoded before storage as SIKKERKEY_PRIVATE_KEY_B64. The pipeline script decodes it at runtime.

After Setup

If you chose Pull Request, merge the PR to activate the pipeline. If you chose Direct Commit, the pipeline runs on the next push.

If your repository already has a bitbucket-pipelines.yml, SikkerKey commits the configuration as bitbucket-sikkerkey-pipelines.yml. You then add an import in your existing pipeline to reference it.

If no bitbucket-pipelines.yml exists, SikkerKey creates one that imports the configuration automatically.

Managing Configured Repositories

Repositories you've already set up are shown at the top of the Bitbucket panel on the Integrations page. From there you can:

  • Disconnect a repository -- revokes the machine, deletes the pipeline variables, and removes the pipeline file
  • Set up another repository using the form below the configured list

Machines created through the Bitbucket integration also appear on the Machines page like any other machine.

Disconnecting

Click Disconnect on the Integrations page to remove the Bitbucket OAuth connection from SikkerKey. Disconnect all configured repositories first to clean up their pipeline variables.

Security

  • Encrypted tokens. OAuth tokens are encrypted with the server encryption key and stored in the database. They are never exposed to users after the initial authorization.
  • Secured variables. All pipeline variables are stored as secured variables in Bitbucket. Secured variables are encrypted at rest and masked in pipeline logs.
  • Base64 encoding. The PEM private key is base64-encoded to work within Bitbucket's variable format. It is decoded at runtime inside the pipeline and never stored in plaintext on disk.
  • Auto-approved machine. The CI machine is auto-approved because you initiated the setup from an authenticated dashboard session. It follows the same Ed25519 authentication model as every other machine.
  • Private key handling. The machine's private key is generated server-side, pushed as a pipeline variable, and immediately discarded. It is never stored in SikkerKey.
  • Audit logged. Connection, setup, disconnect, and cleanup actions are all recorded in your audit log.

Requirements

  • A Bitbucket account with admin access to the target repository (required to create pipeline variables)
  • The repository must have at least one commit

When to Use Manual Setup Instead

Use the manual setup if:

  • Your organization restricts third-party OAuth applications
  • You need to customize the bootstrap process