xenvsync

CI/CD Recipes

Secure pipeline patterns for decrypting and injecting secrets without committing plaintext files.

Baseline Pattern

1. Store the key in your CI secret manager, never in the repository.

2. Install xenvsync in pipeline jobs.

3. Write the key at runtime with restricted permissions.

4. Run pull or run only in jobs that actually need secrets.

Warning: Prefer environment-scoped vaults (for example, staging and production) to reduce blast radius.

GitHub Actions

Workflow snippetyaml
name: build
on: [push]

jobs:
  app:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: bash scripts/install-latest-xenvsync.sh
      - run: |
          echo "$XENVSYNC_KEY" > .xenvsync.key
          chmod 600 .xenvsync.key
        env:
          XENVSYNC_KEY: ${{ secrets.XENVSYNC_KEY }}
      - run: xenvsync pull --env staging
      - run: npm ci && npm test

GitLab CI

.gitlab-ci.yml snippetyaml
build:
  image: ubuntu:24.04
  script:
    - bash scripts/install-latest-xenvsync.sh
    - echo "$XENVSYNC_KEY" > .xenvsync.key
    - chmod 600 .xenvsync.key
    - xenvsync pull --env staging
    - npm ci
    - npm test

CircleCI

.circleci/config.yml snippetyaml
jobs:
  build:
    docker:
      - image: cimg/base:stable
    steps:
      - checkout
      - run: bash scripts/install-latest-xenvsync.sh
      - run: |
          echo "$XENVSYNC_KEY" > .xenvsync.key
          chmod 600 .xenvsync.key
      - run: xenvsync pull --env staging
      - run: npm ci && npm test

Bitbucket Pipelines

bitbucket-pipelines.yml snippetyaml
pipelines:
  default:
    - step:
        image: atlassian/default-image:4
        script:
          - bash scripts/install-latest-xenvsync.sh
          - echo "$XENVSYNC_KEY" > .xenvsync.key
          - chmod 600 .xenvsync.key
          - xenvsync pull --env staging
          - npm ci
          - npm test

Use pull vs run

Use xenvsync pull when downstream tools require an actual .env file.

Use xenvsync run -- your-command when you want in-memory injection and no plaintext file output.

PreviousIntegrationsNext Security Model