{"id":20331155,"url":"https://github.com/comcast/buildenv-tool","last_synced_at":"2026-02-26T16:00:58.611Z","repository":{"id":47491837,"uuid":"243037730","full_name":"Comcast/Buildenv-Tool","owner":"Comcast","description":null,"archived":false,"fork":false,"pushed_at":"2024-10-23T13:04:46.000Z","size":65,"stargazers_count":22,"open_issues_count":3,"forks_count":8,"subscribers_count":7,"default_branch":"main","last_synced_at":"2025-04-11T21:07:20.652Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Comcast.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-02-25T15:43:51.000Z","updated_at":"2024-10-23T13:04:27.000Z","dependencies_parsed_at":"2024-06-19T00:34:19.302Z","dependency_job_id":"628982f4-e5ba-498f-b26e-2ed3eaf02734","html_url":"https://github.com/Comcast/Buildenv-Tool","commit_stats":null,"previous_names":[],"tags_count":17,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Comcast%2FBuildenv-Tool","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Comcast%2FBuildenv-Tool/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Comcast%2FBuildenv-Tool/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Comcast%2FBuildenv-Tool/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Comcast","download_url":"https://codeload.github.com/Comcast/Buildenv-Tool/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248480434,"owners_count":21110937,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-14T20:19:00.996Z","updated_at":"2026-02-26T16:00:58.605Z","avatar_url":"https://github.com/Comcast.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"buildenv\n========\n\nA tool for generating environment exports from a YAML file. Variables can be set in plain test, or by specifying vault key-value (version 2) paths and keys (`kv_secrets`) or the older generic / kv paths (`secrets`) where the key name \"value\" is assumed. Buildenv will autodetect between version 2 and version 1 `kv_secret` paths _unless it can't read the mount details_. For that case, `kv_secrets` will assume version 2, and `kv1_secrets` will use version 1.\n\nUsage\n-----\n\nGiven a `variables.yml` file like this:\n```yaml\n---\nvars:\n GLOBAL: \"global\"\n\nsecrets:\n GENERIC_SECRET: \"gen/test\"\n KV_SECRET: \"old/test\"\n KV2_SECRET: \"secret/oldstyle\"\n\nkv_secrets:\n - path: \"secret/test\"\n vars:\n KV2_ONE: \"one\"\n KV2_TWO: \"two\"\n - path: \"old/test\"\n vars:\n KV1: \"value\"\n - path: \"gen/test\"\n vars:\n KV_GENERIC: \"value\"\n\nkv1_secrets:\n- path: \"old/test\"\n vars:\n KV1SPECIFIC: \"value\"\n\nenvironments:\n stage:\n vars:\n ENVIRONMENT: \"stage\"\n\n secrets:\n ANOTHER_SECRET: \"secret/oldstyle\"\n\n dcs:\n ndc_one:\n vars:\n DC: \"one\"\n kv_secrets:\n - path: \"old/test\"\n vars:\n KV2_THREE: \"three\"\n```\n\nOutput would look like this:\n\n```bash\n% buildenv -c -e stage -d ndc_one\n# Global Variables\nexport GLOBAL=\"global\"\nexport KV2_ONE=\"1\" # Path: secret/test, Key: one\nexport KV2_TWO=\"2\" # Path: secret/test, Key: two\nexport KV1=\"old\" # Path: old/test, Key: value\nexport KV_GENERIC=\"generic\" # Path: gen/test, Key: value\nexport KV1SPECIFIC=\"old\" # Path: old/test, Key: value\nexport GENERIC_SECRET=\"generic\" # Path: gen/test, Key: value\nexport KV_SECRET=\"old\" # Path: old/test, Key: value\nexport KV2_SECRET=\"default\" # Path: secret/oldstyle, Key: value\n# Environment: stage\nexport ENVIRONMENT=\"stage\"\nexport ANOTHER_SECRET=\"default\" # Path: secret/oldstyle, Key: value\n# Datacenter: ndc_one\nexport DC=\"one\"\nexport KV2_THREE=\"3\" # Path: old/test, Key: three\n```\n\nAnother mode uses -r to run a command. All exports will be provided directly to a subshell invoked with the command. This is especially useful in the context of a Makefile where it's very awkward to export lists of environment variables. An added benefit is it's now trivial to set environment variables just for a single command without causing any side-effects for subsequent commands.\n\nExample Makefile:\n\n```\nlist-buckets: creds.yml\n buildenv -e stage -f $\u003c -r \"aws s3 ls\"\n```\n\nIf it's necessary to merge or save a set of variables (for example, so that vault does not need to be called repeatedly), the -u option allows for saving and using a set of variables from the environment without writing possibly sensitive data out to a file:\n\n```bash\n% export SAVED_ENV=`echo '{\"example_var\": \"the value\"}' | base64`\n% buildenv -u SAVED_ENV -f /dev/null\nexport example_var=\"the value\"\n```\n\nThis takes a base64 encoded json object with key-value pairs and treats them as additional input variables. The corresponding flag for export in the same format is -x:\n\n```bash\n% buildenv -u SAVED_ENV -f /dev/null -x | base64 -d\n{\"example_var\":\"the value\"}\n```\n\nMultiple -u options can be used as well as combined with -f to combine multiple sources. Given the above variables.yml:\n\n```bash\n% export SAVED_ENV=`echo '{\"example_var\": \"the value\"}' | base64`\n% export SAVED_ENV2=`echo '{\"another_var\": \"another value\"}' | base64`\n% buildenv -u SAVED_ENV -u SAVED_ENV2 -v\nexport GLOBAL=\"global\"\nexport example_var=\"the value\"\nexport another_var=\"another value\"\n```\n\n*A Note About Vault:* If you have `secrets` or `kv_secrets` defined in either the global or environment scope, it's a mapping from environment variable to the path \u0026 key in vault. Buildenv uses all the standard vault environment variables to communicate with vault (`VAULT_ADDR` and `VAULT_TOKEN` being the two you're most likely to use.) You can find the complete list [in the vault client docs](https://pkg.go.dev/github.com/hashicorp/vault-client-go@v0.4.2#WithEnvironment).\n\nRunning on Linux or in Docker container\n----------\n\nIt is recommended to use the flag `-m` when running on linux or docker container with swap enabled. This will attempt to lock memory and prevent secrets from being written to swap space. If running on a docker container it may be necessary to add `--cap-add=IPC_LOCK` to the `docker run` command or in the `docker-compose` file to allow this. More info can be found at https://hub.docker.com/_/vault under Memory Locking and 'setcap'.\n\nDeveloping\n----------\n\nTo test with vault, run:\n\n```bash\ndocker-compose up vault -d\nexport VAULT_ADDR=\"http://localhost:8200\"\nexport VAULT_TOKEN=\"test\"\nvault secrets enable -path gen generic\nvault secrets enable -version=1 -path old kv\nvault kv put secret/test \"one=1\" \"two=2\"\nvault kv put secret/oldstyle \"value=default\"\nvault kv put old/test \"value=old\" \"three=3\"\nvault write gen/test \"value=generic\"\n\nbuildenv -c -e stage -d ndc_one\ndocker-compose down\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcomcast%2Fbuildenv-tool","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcomcast%2Fbuildenv-tool","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcomcast%2Fbuildenv-tool/lists"}