CI/CD Integration
Inject encrypted vault secrets into your pipelines. No .env files in your repo.
GitHub Actions
Use the official meowrithm/meowpass-action@v1 to pull secrets into your workflow.
1. Create an API key
Terminal
mp apikey create ci-github
# Output: mp_a1b2c3d4e5f6...
2. Add GitHub secrets
In your repo Settings → Secrets and variables → Actions, add:
| Secret name | Value |
|---|---|
| MEOWPASS_VAULT_ID | Your vault ID |
| MEOWPASS_TOKEN | API key (mp_...) |
| MEOWPASS_MASTER_KEY | Pre-derived master key (hex) |
| MEOWPASS_SALT | Key salt (base64) |
3. Add to your workflow
.github/workflows/deploy.yml
name: Deploy
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: meowrithm/meowpass-action@v1
with:
vault_id: ${{ secrets.MEOWPASS_VAULT_ID }}
token: ${{ secrets.MEOWPASS_TOKEN }}
master_key: ${{ secrets.MEOWPASS_MASTER_KEY }}
salt: ${{ secrets.MEOWPASS_SALT }}
# All vault secrets are now in $GITHUB_ENV
- run: npm ci && npm run deploy
Write .env file instead
Use mode: env to write a .env file:
.github/workflows/deploy.yml
- uses: meowrithm/meowpass-action@v1
with:
vault_id: ${{ secrets.MEOWPASS_VAULT_ID }}
token: ${{ secrets.MEOWPASS_TOKEN }}
master_key: ${{ secrets.MEOWPASS_MASTER_KEY }}
salt: ${{ secrets.MEOWPASS_SALT }}
mode: env
env_file: .env.production
Any CI/CD (CLI)
For GitLab CI, CircleCI, Jenkins, or any pipeline — use mp run or mp pull directly.
Generic CI pipeline
# Install
curl -fsSL https://raw.githubusercontent.com/meowrithm/homebrew-tap/main/install.sh | bash
# Pull secrets to .env
mp pull --vault $VAULT_ID --env production
# Or inject into a command directly (secrets stay in memory)
mp run --vault $VAULT_ID -- npm run deploy
Drift Detection in CI
Use mp diff --exit-on-drift to fail builds when local .env is out of sync with the vault.
Pre-deploy check
# Fails with exit code 1 if .env differs from vault
mp diff --vault $VAULT_ID --exit-on-drift
Git Hooks
Catch drift before it reaches CI. Install a pre-commit hook:
Terminal
# Warn-only (default) — shows diff but allows commit
mp git-hook install --vault <id>
# Strict mode — blocks commit if drift detected
mp git-hook install --vault <id> --strict
# Remove the hook
mp git-hook uninstall