pushci 1.7.5 → 1.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md
CHANGED
|
@@ -183,6 +183,59 @@ personas:
|
|
|
183
183
|
fail: ["Avast, the build hath sunk."]
|
|
184
184
|
```
|
|
185
185
|
|
|
186
|
+
## Secrets
|
|
187
|
+
|
|
188
|
+
PushCI resolves secret references inline in `pushci.yml` env blocks.
|
|
189
|
+
Three schemes are supported today; PushCI never writes a plaintext
|
|
190
|
+
secret to disk it didn't already encrypt.
|
|
191
|
+
|
|
192
|
+
| Scheme | Backed by | Best for |
|
|
193
|
+
|---|---|---|
|
|
194
|
+
| `keychain://service[#account]` | macOS Keychain / Windows Credential Manager / Linux Secret Service, with AES-encrypted fallback at `~/.pushci/keychain.enc` for headless CI | Local dev, individual machines |
|
|
195
|
+
| `vault://path#field` | HashiCorp Vault AppRole (`VAULT_ADDR` + `VAULT_ROLE_ID` + `VAULT_SECRET_ID`) | Teams, audited environments |
|
|
196
|
+
| `pushci secrets set KEY VAL` | Per-project AES file at `.pushci/secrets.enc`, machine-bound | Quick one-offs, throwaway scripts |
|
|
197
|
+
|
|
198
|
+
```yaml
|
|
199
|
+
# pushci.yml
|
|
200
|
+
stages:
|
|
201
|
+
- name: publish
|
|
202
|
+
env:
|
|
203
|
+
NPM_TOKEN: keychain://npm-publish-token
|
|
204
|
+
DEPLOY_KEY: keychain://deploy-bot#prod
|
|
205
|
+
DB_PASSWORD: vault://secret/data/prod/db#password
|
|
206
|
+
checks:
|
|
207
|
+
- name: publish
|
|
208
|
+
run: npm publish
|
|
209
|
+
```
|
|
210
|
+
|
|
211
|
+
**Managing keychain entries from the CLI:**
|
|
212
|
+
|
|
213
|
+
```bash
|
|
214
|
+
pushci secrets keychain set npm-publish-token npm_xxxxxxxxxxxx
|
|
215
|
+
pushci secrets keychain set deploy-bot#prod s3cr3t
|
|
216
|
+
pushci secrets keychain get npm-publish-token
|
|
217
|
+
pushci secrets keychain list # fallback-file entries only
|
|
218
|
+
pushci secrets keychain rm npm-publish-token
|
|
219
|
+
```
|
|
220
|
+
|
|
221
|
+
On macOS the storage layout matches the `security` CLI verbatim, so the
|
|
222
|
+
common `.zshrc` helper functions work side-by-side:
|
|
223
|
+
|
|
224
|
+
```bash
|
|
225
|
+
secret() { security find-generic-password -a "$USER" -s "$1" -w 2>/dev/null; }
|
|
226
|
+
secret-set() { security add-generic-password -a "$USER" -s "$1" -w "$2" -U; }
|
|
227
|
+
```
|
|
228
|
+
|
|
229
|
+
Entries written by `secret-set` are readable by `pushci secrets keychain
|
|
230
|
+
get`, and vice versa — no `go-keyring-base64:` prefix gymnastics.
|
|
231
|
+
|
|
232
|
+
**Headless Linux CI:** when D-Bus and Secret Service aren't running,
|
|
233
|
+
PushCI falls back transparently to an AES-encrypted file at
|
|
234
|
+
`~/.pushci/keychain.enc` with a machine-bound key. A one-time stderr
|
|
235
|
+
warning fires the first time a fallback read or write happens, so the
|
|
236
|
+
behavior is never silent. Override account default with the `#account`
|
|
237
|
+
suffix; the current OS user is used when omitted.
|
|
238
|
+
|
|
186
239
|
## Configuration
|
|
187
240
|
|
|
188
241
|
`pushci.yml` is optional — `pushci init` generates one that works, and
|
package/bin/pushci-darwin-amd64
CHANGED
|
Binary file
|
package/bin/pushci-darwin-arm64
CHANGED
|
Binary file
|
package/bin/pushci-linux-amd64
CHANGED
|
Binary file
|
package/bin/pushci-linux-arm64
CHANGED
|
Binary file
|
|
Binary file
|
|
Binary file
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "pushci",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.8.0",
|
|
4
4
|
"description": "AI-native CI/CD that runs on your machine. Zero config, zero cost. Works inside AI agent sandboxes (Claude, Cursor, Windsurf). 33 languages, 40+ frameworks, 22 deploy targets, 25 installable skills, Tailscale mesh, blast radius analysis.",
|
|
5
5
|
"bin": {
|
|
6
6
|
"pushci": "bin/pushci.js"
|