Share secrets between repositories

Sometimes, your project is not setup as a monorepo and need to share some secrets with an other part of your application that lives in a other repository. Thankfully, Keystone projects aren’t bound to a VCS system or repo, and can be simply used accross several repositories, no matter what VCS you use.

Example setup

Say you are building a CLI tool, and plan on distributing it on Homebrew. You chose to maintain a tap, and for that reason, you now have one repositiory for your CLI’s source code, organisation/tool-cli, and one for your tap, organisation/homebrew-tap. Due to the internal workings of your tool, you need to have a WHISPER secret shared between those two repositories. You’ve already initialized a Keytone project named tool-cli in the organisation/tool-cli repo, and added the secret:

ks init tool-cli
ks secret add WHISPER shhh

1. Copy the keystone.yaml file

In the root of your project lives the keystone.yaml file. It contains the project id, so if you copy that file at the root of your other repository, you’ll be able to mirror your main project.

cp ~/projects/tool-cli/keystone.yaml ~/projects/homebrew-tap/keystone.yaml

2. Send yourself the current environment

cd ~/project/tool-cli
ks env send

You’ll have to repeat that command every time you need to update the other repo, the homebrew-tap in our examble.

3. Update the other repo

cd ~/project/homebrew-tap
ks secret

This will fetch the data you just sent yourself in the prior step, and lists the secrets with their values.

Keep CI in sync

You can add as many CI services as you want using ks ci add. Simply add both the organisation/tool-cli and organisation/homebrew-tap ci services, and set them up both with the GitHub action. Everytime you’ll type ks ci send, secret will be sent to all the ci services you added.

Edit this page on GitHub