{"id":21511975,"url":"https://github.com/strvcom/shh","last_synced_at":"2025-04-09T18:20:36.459Z","repository":{"id":170153497,"uuid":"646272257","full_name":"strvcom/shh","owner":"strvcom","description":"CLI tool to manage versioned environment variable files using git-crypt","archived":false,"fork":false,"pushed_at":"2023-05-31T22:28:30.000Z","size":212,"stargazers_count":6,"open_issues_count":0,"forks_count":0,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-03-23T13:07:26.428Z","etag":null,"topics":["cli","environment","envs","git-crypt","secrets"],"latest_commit_sha":null,"homepage":"https://github.com/strvcom/shh","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/strvcom.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2023-05-27T20:58:11.000Z","updated_at":"2024-12-08T16:11:36.000Z","dependencies_parsed_at":"2023-07-06T14:01:52.836Z","dependency_job_id":null,"html_url":"https://github.com/strvcom/shh","commit_stats":{"total_commits":134,"total_committers":1,"mean_commits":134.0,"dds":0.0,"last_synced_commit":"a6ea3dc75ac52ca8818c26c7dfc4eadd53f2f648"},"previous_names":["strvcom/shh"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/strvcom%2Fshh","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/strvcom%2Fshh/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/strvcom%2Fshh/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/strvcom%2Fshh/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/strvcom","download_url":"https://codeload.github.com/strvcom/shh/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248085324,"owners_count":21045139,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cli","environment","envs","git-crypt","secrets"],"created_at":"2024-11-23T22:24:37.578Z","updated_at":"2025-04-09T18:20:36.437Z","avatar_url":"https://github.com/strvcom.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\n\u003ch1\u003e🤫\u003cbr /\u003e\u003csmall\u003e@strv/shh\u003c/small\u003e\u003c/h1\u003e\n\nCLI tool to manage versioned environment variable files using [git-crypt](https://www.agwa.name/projects/git-crypt/).\n\n[![npm version](https://badge.fury.io/js/@strv%2Fshh.svg)](https://www.npmjs.com/package/@strv/shh) [![by STRV](https://img.shields.io/badge/by-STRV-ec0d32)](https://www.strv.com/)\n\n\u003c/div\u003e\n\n## Motivation\n\nWhile many projects deserve proper secrets handling solution such as [Vault, by HashiCorp](https://www.vaultproject.io/) or [AWS KMS](https://aws.amazon.com/kms/), these solutions are often costy and simply an overkill for more simpler setups. However, manually managing environment variables is a pain and prone to much human mistakes.\n\nMeanwhile, git-crypt has been providing a good solution to [manage your secrets together with your codebase](https://dev.to/heroku/how-to-manage-your-secrets-with-git-crypt-56ih). Although simple, git-crypt is not really feature rich and not at all focused on this particular use-case alone.\n\nComes `@strv/shh`. Together with git-crypt, this tool will help you:\n\n- Encrypt versioned environment variables\n- Setup CI usage of these environment variables\n- Share environment variables safely with colleagues\n- Compare environment variable of different targets\n- Switch environments locally\n\n## How it works\n\nThe main idea here is to have a set of environment files (by default at `./envs/env.[name]`) that are encrypted using git-crypt, and a `.env` symbolic link to one of the available environments.\n\n`@strv/shh` will helps setting this up, and switching/selecting environments both on local machines and on CI.\n\n## Install\n\nMake sure to have [git-crypt](https://github.com/AGWA/git-crypt) installed. On Mac OS, I recommend using [brew](https://github.com/AGWA/git-crypt/blob/master/INSTALL.md#installing-on-mac-os-x).\n\n```shell\nnpm add @strv/shh --dev\n```\n\n## Usage\n\n### First user\n\nThe first user will be the one to setup `@strv/shh` on the repository. Execute the following steps:\n\n1. Setup\n\n   ```shell\n   npx shh init\n   ```\n\n   This command has sensible defaults that can be overriden with extra [options](#options). After initialization, make sure to commit all generated files, and changes made to `.gitattributes` and `.gitignore`.\n\n2. Save key\n\n   You'll need the to provide other users with the encryption key in order to unlock the repository (or for CI usage). Run the following to get the key:\n\n   ```sh\n   npx shh export-key\n   ```\n\n   The output key can be shared with other developers that are allowed to unlock the environment variables, and used on the CI setup.\n\n   \u003e Disclaimer: the output is a base64 encoded secret for easier handling.\n\n### Other users\n\nWhenever doing a fresh clone of the repository, it's necessary to unlock the environment variable files. Having the key generated on the [step above](#2-save-key), run:\n\n```sh\nnpx shh unlock\n```\n\nYou'll be prompted to provide the key.\n\n### During development\n\n#### Create environments\n\nDifferent environments (development, production, etc) are defined by their variable declaring files. By default, this files should be found on `./envs/env.[name]` (replacing `[name]` with the environment name).\n\nYou can either create new environments by manually create these files, or you can use the following command:\n\n```sh\nnpx shh new\n```\n\nThe benefit of using the command is mainly to reuse the template, if set.\n\n### Switching environments\n\nWhenever you intend to execute the application under a different environment locally, run the base CLI:\n\n```sh\nnpx shh\n```\n\n### CI setup\n\nSetup on CI isn't much different than locally. However, we recommend this shortcut:\n\n```sh\nSHH_KEY=[key] npx shh -e [environment]\n```\n\n`SSH_KEY` becomes the only environment variable that has to be made available manually on the CI admin setup.\n\n#### git-crypt\n\nThe main problem to use `@strv/shh` on CI is having git-crypt available, which depends entirely on the OS in use.\n\n[Vercel](https://vercel.com/docs/concepts/deployments/build-image) uses an image based on [Amazon Linux 2](https://aws.amazon.com/amazon-linux-2). `@strv/shh` includes a pre-built git-crypt binary for that image available on `@strv/shh/bin/git-crypt--amazon-linux`, and this binary will be used by default when executing commands under a Vercel environment, but for safety reasons, we recommend you setup your CI environment following the git-crypt [install instructions](https://github.com/AGWA/git-crypt/blob/master/INSTALL.md).\n\n## Commands \u0026 Options\n\nAll commands have available options and descriptions available by appending `--help` to the command.\n\n### Global options\n\nThe following options are available to all commands, and are saved to `.shhrc` in case they differ from the defaults upon initializing.\n\n|                             | Description                                                                | Default               |\n| --------------------------- | -------------------------------------------------------------------------- | --------------------- |\n| `-t, --target \u003cpath\u003e`       | The path to the managed env file                                           | `\".env\"`              |\n| `-T, --template \u003cpath\u003e`     | The path to the env template file                                          | `\"./envs/template\"`   |\n| `-E, --environments \u003cpath\u003e` | The path pattern to the environment files                                  | `\"./envs/env.[name]\"` |\n| `-l, --log-level \u003clevel\u003e`   | What level of logs to report (choices: \"log\", \"silent\", \"warn\", \"nothing\") | `\"log\"`               |\n| `-c, --copy`                | Whether we should install environments using copy instead of symlink       | `false`               |\n\n\u003cdetails\u003e\n  \u003csummary\u003e\u003cstrong\u003eInitialize (\u003ccode\u003enpx init\u003c/code\u003e)\u003c/strong\u003e\u003c/summary\u003e\n  \u003chr /\u003e\n\nInitializes `@strv/shh` and git-crypt setup.\n\n|             | Description                    | Default  |\n| ----------- | ------------------------------ | -------- |\n| `-y, --yes` | Confirm YES to warning prompts | prompted |\n\n  \u003chr /\u003e\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003e\u003cstrong\u003eSwitch (\u003ccode\u003enpx shh\u003c/code\u003e)\u003c/strong\u003e\u003c/summary\u003e\n  \u003chr /\u003e\n\nSwitch to an available environment. Options:\n\n|                            | Description                  | Default  |\n| -------------------------- | ---------------------------- | -------- |\n| `-e, --environment \u003cname\u003e` | The environment to switch to | prompted |\n\n  \u003chr /\u003e\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003e\u003cstrong\u003eUnlock (\u003ccode\u003enpx unlock\u003c/code\u003e)\u003c/strong\u003e\u003c/summary\u003e\n  \u003chr /\u003e\n\nUnlock repository using git-crypt. Options:\n\n|                           | Environment variable | Description            | Default  |\n| ------------------------- | -------------------- | ---------------------- | -------- |\n| `-k, --encoded-key \u003ckey\u003e` | `SHH_KEY`            | The base64 encoded key | prompted |\n\n  \u003chr /\u003e\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003e\u003cstrong\u003eLock (\u003ccode\u003enpx lock\u003c/code\u003e)\u003c/strong\u003e\u003c/summary\u003e\n  \u003chr /\u003e\n\nLocks the repository's and encrypt environment files.\n\n|             | Description                    | Default  |\n| ----------- | ------------------------------ | -------- |\n| `-y, --yes` | Confirm YES to warning prompts | prompted |\n\n  \u003chr /\u003e\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003e\u003cstrong\u003eNew environment (\u003ccode\u003enpx new\u003c/code\u003e)\u003c/strong\u003e\u003c/summary\u003e\n  \u003chr /\u003e\n\nCreate a new environment based on the template. Options:\n\n|                            | Description                | Default  |\n| -------------------------- | -------------------------- | -------- |\n| `-e, --environment \u003cname\u003e` | The environment to install | prompted |\n\n  \u003chr /\u003e\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003e\u003cstrong\u003eDiff (\u003ccode\u003enpx diff\u003c/code\u003e)\u003c/strong\u003e\u003c/summary\u003e\n  \u003chr /\u003e\n\nCompares variables available on all environments (including template).\n\n  \u003chr /\u003e\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003e\u003cstrong\u003eExport key (\u003ccode\u003enpx export-key\u003c/code\u003e)\u003c/strong\u003e\u003c/summary\u003e\n  \u003chr /\u003e\n\nOutputs a base64 encoded version of the encryption key.\n\n  \u003chr /\u003e\n\u003c/details\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstrvcom%2Fshh","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstrvcom%2Fshh","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstrvcom%2Fshh/lists"}