Share secrets between repositories
Sometimes, your project is not setup as a monorepo and need to share some secrets with an other part of your application that lives in a other repository. Thankfully, Keystone projects aren’t bound to a VCS system or repo, and can be simply used accross several repositories, no matter what VCS you use.
Example setup
Say you are building a CLI tool, and plan on distributing it on Homebrew.
You chose to maintain a tap, and for that reason, you now have one repositiory
for your CLI’s source code, organisation/tool-cli, and one for your tap,
organisation/homebrew-tap.
Due to the internal workings of your tool, you need to have a WHISPER
secret shared between those two repositories.
You’ve already initialized a Keytone project named tool-cli in the organisation/tool-cli repo,
and added the secret:
ks init tool-cli
ks secret add WHISPER shhh
1. Copy the keystone.yaml file
In the root of your project lives the keystone.yaml file. It contains the project id,
so if you copy that file at the root of your other repository, you’ll be able
to mirror your main project.
cp ~/projects/tool-cli/keystone.yaml ~/projects/homebrew-tap/keystone.yaml
2. Send yourself the current environment
cd ~/project/tool-cli
ks env send
You’ll have to repeat that command every time you need
to update the other repo, the homebrew-tap in our examble.
3. Update the other repo
cd ~/project/homebrew-tap
ks secret
This will fetch the data you just sent yourself in the prior step, and lists the secrets with their values.
Keep CI in sync
You can add as many CI services as you want using ks ci add.
Simply add both the organisation/tool-cli and organisation/homebrew-tap ci
services, and set them up both with the GitHub action.
Everytime you’ll type ks ci send, secret will be sent to all the ci services
you added.