npm - vaulter - Versions diffs - 1.0.33 → 1.0.35 - Mend

vaulter 1.0.33 → 1.0.35

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (39) hide show

package/README.md +261 -38
package/action.yml +116 -0
package/dist/action/formats.d.ts +57 -0
package/dist/action/formats.d.ts.map +1 -0
package/dist/action/formats.js +241 -0
package/dist/action/formats.js.map +1 -0
package/dist/action/index.d.ts +17 -0
package/dist/action/index.d.ts.map +1 -0
package/dist/action/index.js +216 -0
package/dist/action/index.js.map +1 -0
package/dist/action/inputs.d.ts +38 -0
package/dist/action/inputs.d.ts.map +1 -0
package/dist/action/inputs.js +109 -0
package/dist/action/inputs.js.map +1 -0
package/dist/cli/commands/pull.d.ts +10 -0
package/dist/cli/commands/pull.d.ts.map +1 -1
package/dist/cli/commands/pull.js +124 -2
package/dist/cli/commands/pull.js.map +1 -1
package/dist/cli/commands/sync/index.d.ts.map +1 -1
package/dist/cli/commands/sync/index.js +4 -2
package/dist/cli/commands/sync/index.js.map +1 -1
package/dist/cli/index.js +1 -1
package/dist/cli/index.js.map +1 -1
package/dist/config.js +2 -2
package/dist/config.js.map +1 -1
package/dist/index.d.ts +3 -1
package/dist/index.d.ts.map +1 -1
package/dist/index.js +2 -0
package/dist/index.js.map +1 -1
package/dist/lib/outputs.d.ts +86 -0
package/dist/lib/outputs.d.ts.map +1 -0
package/dist/lib/outputs.js +284 -0
package/dist/lib/outputs.js.map +1 -0
package/dist/mcp/resources.js +21 -5
package/dist/mcp/resources.js.map +1 -1
package/dist/types.d.ts +116 -0
package/dist/types.d.ts.map +1 -1
package/dist/types.js.map +1 -1
package/package.json +4 -2

package/README.md CHANGED Viewed

@@ -312,47 +312,164 @@ Vaulter separates **local development** from **deployment** configurations:
 ## CI/CD
-### GitHub Actions (Recommended)
+### GitHub Action (Recommended)
-Use `vaulter run` to execute commands with auto-loaded environment variables:
+Use the official Vaulter GitHub Action for seamless CI/CD integration:
 ```yaml
-name: Build & Deploy
-on:
-  push:
-    branches: [main]
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: pnpm/action-setup@v4
-      - name: Pull secrets from backend
-        env:
-          VAULTER_KEY: ${{ secrets.VAULTER_KEY }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-        run: npx vaulter sync pull -e prd
-      - name: Build with env vars
-        run: npx vaulter run -e prd -- pnpm build
-  deploy:
-    needs: build
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Deploy secrets to K8s
-        env:
-          VAULTER_KEY: ${{ secrets.VAULTER_KEY }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-        run: npx vaulter export k8s-secret -e prd | kubectl apply -f -
-```
-**Auto-detection in CI:** When `CI=true` or `GITHUB_ACTIONS` is set, vaulter automatically loads from `.vaulter/deploy/` instead of `.vaulter/local/`.
+- uses: forattini-dev/vaulter@v1
+  id: secrets
+  with:
+    backend: s3://my-bucket/secrets
+    project: my-app
+    environment: prd
+    outputs: env,k8s-secret
+  env:
+    AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+    AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+    VAULTER_PASSPHRASE: ${{ secrets.VAULTER_PASSPHRASE }}
+```
+#### Output Formats
+| Output | File | Use Case |
+|:-------|:-----|:---------|
+| `env` | `.env` | Docker, Node.js |
+| `json` | `vaulter-vars.json` | Custom scripts |
+| `k8s-secret` | `k8s-secret.yaml` | `kubectl apply` |
+| `k8s-configmap` | `k8s-configmap.yaml` | `kubectl apply` |
+| `helm-values` | `helm-values.yaml` | `helmfile`, `helm` |
+| `tfvars` | `terraform.auto.tfvars` | `terraform`, `terragrunt` |
+| `shell` | `vaulter-env.sh` | `source` in scripts |
+#### Full Examples
+**kubectl:**
+```yaml
+- uses: forattini-dev/vaulter@v1
+  with:
+    backend: ${{ secrets.VAULTER_BACKEND }}
+    project: my-app
+    environment: prd
+    outputs: k8s-secret,k8s-configmap
+    k8s-namespace: my-namespace
+  env:
+    AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+    AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+    VAULTER_PASSPHRASE: ${{ secrets.VAULTER_PASSPHRASE }}
+- run: |
+    kubectl apply -f k8s-secret.yaml
+    kubectl apply -f k8s-configmap.yaml
+```
+**Helmfile:**
+```yaml
+- uses: forattini-dev/vaulter@v1
+  with:
+    backend: ${{ secrets.VAULTER_BACKEND }}
+    project: my-app
+    environment: prd
+    outputs: helm-values
+    helm-values-path: ./helm/secrets.yaml
+  env:
+    AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+    AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+    VAULTER_PASSPHRASE: ${{ secrets.VAULTER_PASSPHRASE }}
+- run: helmfile -e prd apply
+```
+**Terraform/Terragrunt:**
+```yaml
+- uses: forattini-dev/vaulter@v1
+  with:
+    backend: ${{ secrets.VAULTER_BACKEND }}
+    project: infra
+    environment: prd
+    outputs: tfvars
+    # .auto.tfvars is loaded automatically by Terraform!
+    tfvars-path: ./secrets.auto.tfvars
+  env:
+    AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+    AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+    VAULTER_PASSPHRASE: ${{ secrets.VAULTER_PASSPHRASE }}
+- run: terragrunt apply -auto-approve
+```
+**Docker Build:**
+```yaml
+- uses: forattini-dev/vaulter@v1
+  with:
+    backend: ${{ secrets.VAULTER_BACKEND }}
+    project: my-app
+    environment: prd
+    outputs: env
+    env-path: .env.production
+  env:
+    AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+    AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+    VAULTER_PASSPHRASE: ${{ secrets.VAULTER_PASSPHRASE }}
+- run: docker build --secret id=env,src=.env.production -t app .
+```
+**Export to GITHUB_ENV:**
+```yaml
+- uses: forattini-dev/vaulter@v1
+  with:
+    backend: ${{ secrets.VAULTER_BACKEND }}
+    project: my-app
+    environment: prd
+    export-to-env: true  # Makes vars available in subsequent steps
+  env:
+    AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+    AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+    VAULTER_PASSPHRASE: ${{ secrets.VAULTER_PASSPHRASE }}
+- run: echo "Database is $DATABASE_URL"  # Available!
+```
+#### Action Inputs
+| Input | Required | Default | Description |
+|:------|:--------:|:--------|:------------|
+| `backend` | ✓ | - | S3 connection string |
+| `project` | ✓ | - | Project name |
+| `environment` | ✓ | - | Environment (dev/stg/prd) |
+| `service` | | - | Service (monorepo) |
+| `outputs` | | `env` | Comma-separated outputs |
+| `k8s-namespace` | | `default` | K8s namespace |
+| `export-to-env` | | `false` | Export to GITHUB_ENV |
+| `mask-values` | | `true` | Mask secrets in logs |
+#### Action Outputs
+| Output | Description |
+|:-------|:------------|
+| `env-file` | Path to .env file |
+| `k8s-secret-file` | Path to K8s Secret YAML |
+| `k8s-configmap-file` | Path to K8s ConfigMap YAML |
+| `helm-values-file` | Path to Helm values file |
+| `tfvars-file` | Path to .tfvars file |
+| `vars-count` | Number of variables |
+| `vars-json` | JSON array of variable names |
+### CLI in CI/CD
+You can also use the CLI directly:
+```yaml
+- name: Pull and build
+  env:
+    VAULTER_PASSPHRASE: ${{ secrets.VAULTER_PASSPHRASE }}
+    AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+    AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+  run: |
+    npx vaulter sync pull -e prd
+    npx vaulter run -e prd -- pnpm build
+```
 ### Other Platforms
@@ -417,6 +534,112 @@ vaulter export shell -e dev -s api --no-shared
 ---
+## Output Targets (Multi-Framework)
+**One config → multiple `.env` files.** Works with any framework: Next.js, NestJS, Express, NX, Turborepo, etc.
+### The Problem
+Different apps need different variables in different places:
+```
+apps/
+├── web/          # Next.js needs .env.local with NEXT_PUBLIC_*
+├── api/          # NestJS needs .env with DATABASE_*, JWT_*
+└── admin/        # Needs everything
+```
+### The Solution
+Define outputs once, pull everywhere:
+```yaml
+# .vaulter/config.yaml
+outputs:
+  web:
+    path: apps/web
+    filename: .env.local
+    include: [NEXT_PUBLIC_*]      # Only public vars
+  api:
+    path: apps/api
+    include: [DATABASE_*, JWT_*]  # Only backend vars
+    exclude: [*_DEV]              # No dev-only vars
+  admin: apps/admin               # Shorthand: all vars
+# Shared across all outputs (inherited automatically)
+shared:
+  include: [NODE_ENV, LOG_LEVEL, SENTRY_*]
+```
+### Pull to All Outputs
+```bash
+# Pull to all outputs at once
+vaulter sync pull --all
+# Result:
+# ✓ web: apps/web/.env.local (5 vars)
+# ✓ api: apps/api/.env (12 vars)
+# ✓ admin: apps/admin/.env (25 vars)
+```
+### Pull to Specific Output
+```bash
+# Pull only web
+vaulter sync pull --output web
+# Preview without writing
+vaulter sync pull --all --dry-run
+```
+### How It Works
+```
+┌─────────────────────────────────────────────────────────┐
+│                    Backend (S3)                         │
+│  DATABASE_URL, JWT_SECRET, NEXT_PUBLIC_API, LOG_LEVEL   │
+└────────────────────────┬────────────────────────────────┘
+                         │
+              vaulter sync pull --all
+                         │
+         ┌───────────────┼───────────────┐
+         ▼               ▼               ▼
+   ┌──────────┐    ┌──────────┐    ┌──────────┐
+   │   web    │    │   api    │    │  admin   │
+   │ .env.local│   │  .env    │    │  .env    │
+   │          │    │          │    │          │
+   │ LOG_LEVEL│    │ LOG_LEVEL│    │ LOG_LEVEL│  ← shared (inherited)
+   │ NEXT_*   │    │ DATABASE_│    │ ALL VARS │  ← filtered by include/exclude
+   └──────────┘    │ JWT_*    │    └──────────┘
+                   └──────────┘
+```
+### Pattern Syntax
+| Pattern | Matches |
+|:--------|:--------|
+| `NEXT_PUBLIC_*` | `NEXT_PUBLIC_API_URL`, `NEXT_PUBLIC_GA_ID` |
+| `*_SECRET` | `JWT_SECRET`, `API_SECRET` |
+| `DATABASE_*` | `DATABASE_URL`, `DATABASE_HOST` |
+| `*_URL` | `API_URL`, `DATABASE_URL`, `REDIS_URL` |
+### Inheritance
+By default, `shared.include` vars are added to ALL outputs. Override with `inherit: false`:
+```yaml
+outputs:
+  isolated-app:
+    path: apps/isolated
+    inherit: false           # No shared vars
+    include: [ISOLATED_*]
+```
+---
 ## API Usage
 ```typescript

package/action.yml ADDED Viewed

@@ -0,0 +1,116 @@
+name: 'Vaulter - Pull Secrets'
+description: 'Pull environment variables from Vaulter backend and generate outputs for kubectl, helm, terraform, and more'
+author: 'Forattini'
+branding:
+  icon: 'lock'
+  color: 'purple'
+inputs:
+  # ─── Connection ───
+  backend:
+    description: 'Connection string (s3://bucket, file://path, memory://). Can also use VAULTER_BACKEND env var.'
+    required: false
+  passphrase:
+    description: 'Encryption passphrase for symmetric mode. Can also use VAULTER_PASSPHRASE env var.'
+    required: false
+  # ─── Filters ───
+  project:
+    description: 'Project name'
+    required: true
+  environment:
+    description: 'Environment (dev/stg/prd or custom)'
+    required: true
+  service:
+    description: 'Service name for monorepo setups'
+    required: false
+  # ─── Outputs Selection ───
+  outputs:
+    description: 'Comma-separated list of outputs to generate: env,json,k8s-secret,k8s-configmap,helm-values,tfvars,shell'
+    default: 'env'
+  # ─── Output Paths ───
+  env-path:
+    description: 'Path for .env file output'
+    default: '.env'
+  json-path:
+    description: 'Path for JSON output'
+    default: 'vaulter-vars.json'
+  k8s-secret-path:
+    description: 'Path for Kubernetes Secret YAML'
+    default: 'k8s-secret.yaml'
+  k8s-configmap-path:
+    description: 'Path for Kubernetes ConfigMap YAML'
+    default: 'k8s-configmap.yaml'
+  helm-values-path:
+    description: 'Path for Helm values.yaml'
+    default: 'helm-values.yaml'
+  tfvars-path:
+    description: 'Path for Terraform .tfvars file'
+    default: 'terraform.auto.tfvars'
+  shell-path:
+    description: 'Path for shell export script'
+    default: 'vaulter-env.sh'
+  # ─── K8s Options ───
+  k8s-secret-name:
+    description: 'Name for Kubernetes Secret resource'
+    required: false
+  k8s-configmap-name:
+    description: 'Name for Kubernetes ConfigMap resource'
+    required: false
+  k8s-namespace:
+    description: 'Kubernetes namespace'
+    default: 'default'
+  # ─── Encryption Mode ───
+  encryption-mode:
+    description: 'Encryption mode: symmetric or asymmetric'
+    default: 'symmetric'
+  public-key:
+    description: 'Public key PEM content (asymmetric mode)'
+    required: false
+  private-key:
+    description: 'Private key PEM content (asymmetric mode)'
+    required: false
+  asymmetric-algorithm:
+    description: 'Algorithm for asymmetric mode: rsa-4096, rsa-2048, ec-p256, ec-p384'
+    default: 'rsa-4096'
+  # ─── Shared Vars ───
+  include-shared:
+    description: 'Include shared variables when service is specified'
+    default: 'true'
+  # ─── Export to GitHub Env ───
+  export-to-env:
+    description: 'Export variables to GITHUB_ENV for subsequent steps'
+    default: 'false'
+  mask-values:
+    description: 'Mask secret values in logs'
+    default: 'true'
+outputs:
+  env-file:
+    description: 'Path to generated .env file'
+  json-file:
+    description: 'Path to generated JSON file'
+  k8s-secret-file:
+    description: 'Path to generated Kubernetes Secret YAML'
+  k8s-configmap-file:
+    description: 'Path to generated Kubernetes ConfigMap YAML'
+  helm-values-file:
+    description: 'Path to generated Helm values file'
+  tfvars-file:
+    description: 'Path to generated Terraform .tfvars file'
+  shell-file:
+    description: 'Path to generated shell export script'
+  vars-count:
+    description: 'Number of variables exported'
+  vars-json:
+    description: 'JSON string with all variable names (not values)'
+runs:
+  using: 'node20'
+  main: 'dist/action/index.cjs'

package/dist/action/formats.d.ts ADDED Viewed

@@ -0,0 +1,57 @@
+/**
+ * Vaulter GitHub Action - Output Format Generators
+ *
+ * Generates output files in various formats for different IaC tools:
+ * - env: Standard .env file
+ * - json: JSON key-value pairs
+ * - k8s-secret: Kubernetes Secret YAML
+ * - k8s-configmap: Kubernetes ConfigMap YAML
+ * - helm-values: Helm values.yaml
+ * - tfvars: Terraform .tfvars
+ * - shell: Shell export script
+ */
+/**
+ * Generate .env file content
+ */
+export declare function generateEnvFile(vars: Record<string, string>): string;
+/**
+ * Generate JSON file content
+ */
+export declare function generateJsonFile(vars: Record<string, string>): string;
+/**
+ * Generate Kubernetes Secret YAML
+ */
+export declare function generateK8sSecret(vars: Record<string, string>, options: {
+    name: string;
+    namespace: string;
+    environment: string;
+}): string;
+/**
+ * Generate Kubernetes ConfigMap YAML
+ */
+export declare function generateK8sConfigMap(vars: Record<string, string>, options: {
+    name: string;
+    namespace: string;
+    environment: string;
+}): string;
+/**
+ * Generate Helm values.yaml
+ */
+export declare function generateHelmValues(vars: Record<string, string>, options: {
+    project: string;
+    environment: string;
+    service?: string;
+}): string;
+/**
+ * Generate Terraform .tfvars
+ */
+export declare function generateTfVars(vars: Record<string, string>, options: {
+    project: string;
+    environment: string;
+    service?: string;
+}): string;
+/**
+ * Generate shell export script
+ */
+export declare function generateShellExport(vars: Record<string, string>): string;
+//# sourceMappingURL=formats.d.ts.map

package/dist/action/formats.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"formats.d.ts","sourceRoot":"","sources":["../../src/action/formats.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAyGH;;GAEG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,CAYpE;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,CAErE;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC5B,OAAO,EAAE;IACP,IAAI,EAAE,MAAM,CAAA;IACZ,SAAS,EAAE,MAAM,CAAA;IACjB,WAAW,EAAE,MAAM,CAAA;CACpB,GACA,MAAM,CAsBR;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC5B,OAAO,EAAE;IACP,IAAI,EAAE,MAAM,CAAA;IACZ,SAAS,EAAE,MAAM,CAAA;IACjB,WAAW,EAAE,MAAM,CAAA;CACpB,GACA,MAAM,CAqBR;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC5B,OAAO,EAAE;IACP,OAAO,EAAE,MAAM,CAAA;IACf,WAAW,EAAE,MAAM,CAAA;IACnB,OAAO,CAAC,EAAE,MAAM,CAAA;CACjB,GACA,MAAM,CA4BR;AAED;;GAEG;AACH,wBAAgB,cAAc,CAC5B,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC5B,OAAO,EAAE;IACP,OAAO,EAAE,MAAM,CAAA;IACf,WAAW,EAAE,MAAM,CAAA;IACnB,OAAO,CAAC,EAAE,MAAM,CAAA;CACjB,GACA,MAAM,CA6BR;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,CAcxE"}