https://github.com/andreijiroh-dev/dotenvx-secretstore

A git-backed experiment with using dotenvx for managing CI/prod secrets.
https://github.com/andreijiroh-dev/dotenvx-secretstore

Last synced: 4 months ago
JSON representation

A git-backed experiment with using dotenvx for managing CI/prod secrets.

• Host: GitHub
• URL: https://github.com/andreijiroh-dev/dotenvx-secretstore
• Owner: andreijiroh-dev
• License: mpl-2.0
• Created: 2024-07-06T17:57:12.000Z (almost 2 years ago)
• Default Branch: main
• Last Pushed: 2024-07-25T07:23:29.000Z (almost 2 years ago)
• Last Synced: 2025-03-15T22:47:31.418Z (over 1 year ago)
• Language: JavaScript
• Size: 104 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# `@ajhalili2006/dotenvx-secretstore`

A git-backed experiment with using dotenvx for managing CI/prod secrets. Kinda

similar to using `gopass`, but without the GPG/SSH key wrangling and web-based

dashboard chaos.

## Related projects

* [`dotenv-tools`](./tools/) - CLI tool to manage repositories like tbis one (accessible locally via `npm run cli` at project root directory)

* [`dotenv-keys` shell hook and function](./contrib/shell-hooks/)

* [GitHub Actions integration](https://github.com/andreijiroh-dev/dotenvx-action)

## Rationale

I am currently a Doppler user for safekeeping secrets, but plan to switch to

`dotenvx` and use plain git for audit logs. The plan is simple or complex

depending on who asked. In a nutshell:

* Store `.env` files in a central repository like this for auditing and ease of management

* Store the private keys securely in Doppler or straight to CI secrets setting.

* In each CI job, pull project-specifics and load them using `dotenvx` cli

## Requirements

* `dotenvx` cli for setup and maintenance (also accessible via `dotenv-tools dotenvx`)

* basically `git` for everything else and `bash` + `nodejs` for the tools here

## Usage

### First Use Setup

```bash

# install dotenvx (optional)

curl -fsSL https://scripts.andreijiroh.xyz/tools/dotenvx | bash -s -- --directory=$HOME/.local/bin

# setup project-specifics

npm run cli -- projects add  [--copy-ci-secrets|--commit]

# push to project's .env file, optionally

npm run cli -- secrets push --repo-path=/path/to/local-copy [--upload-dotenv-keys=|--no-commit]  [optional-env-file]

```

### Managing secrets

```bash

cd projects/ # or stay in root directory for meta

# add a secret via dotenvx

dotenvx set [-f .env.ci [--plain] --] NAME somerandomtexthere

# push to repo to sync

./bin/push-secrets --repo-path=/path/to/local-copy [--upload-dotenv-keys=|--no-commit]  [optional-env-file]

```