← Back to home

CI/CD Integration

Inject encrypted vault secrets into your pipelines. No .env files in your repo.

GitHub Actions

Use the official meowrithm/meowpass-action@v1 to pull secrets into your workflow.

1. Create an API key

Terminal
mp apikey create ci-github # Output: mp_a1b2c3d4e5f6...

2. Add GitHub secrets

In your repo Settings → Secrets and variables → Actions, add:

Secret nameValue
MEOWPASS_VAULT_IDYour vault ID
MEOWPASS_TOKENAPI key (mp_...)
MEOWPASS_MASTER_KEYPre-derived master key (hex)
MEOWPASS_SALTKey salt (base64)

3. Add to your workflow

.github/workflows/deploy.yml
name: Deploy on: push: branches: [main] jobs: deploy: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: meowrithm/meowpass-action@v1 with: vault_id: ${{ secrets.MEOWPASS_VAULT_ID }} token: ${{ secrets.MEOWPASS_TOKEN }} master_key: ${{ secrets.MEOWPASS_MASTER_KEY }} salt: ${{ secrets.MEOWPASS_SALT }} # All vault secrets are now in $GITHUB_ENV - run: npm ci && npm run deploy

Write .env file instead

Use mode: env to write a .env file:

.github/workflows/deploy.yml
- uses: meowrithm/meowpass-action@v1 with: vault_id: ${{ secrets.MEOWPASS_VAULT_ID }} token: ${{ secrets.MEOWPASS_TOKEN }} master_key: ${{ secrets.MEOWPASS_MASTER_KEY }} salt: ${{ secrets.MEOWPASS_SALT }} mode: env env_file: .env.production

Vercel

Sync vault secrets to Vercel project environment variables with one command. Auto-maps MeowPass environments to Vercel targets.

1. Create a Vercel token

Go to vercel.com/account/tokens and create a token. Add it as a GitHub secret or export it locally.

2. Sync secrets

bash
# Push production secrets to Vercel mp vercel sync --project my-app --env production # Preview changes first mp vercel sync --project my-app --env production --dry-run

3. GitHub Actions + Vercel deploy

.github/workflows/deploy.yml
name: Deploy on: push: branches: [main] jobs: deploy: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Sync secrets to Vercel env: MEOWPASS_TOKEN: ${{ secrets.MEOWPASS_TOKEN }} VERCEL_TOKEN: ${{ secrets.VERCEL_TOKEN }} run: | curl -fsSL https://github.com/meowrithm/meowpass-releases/releases/latest/download/meowpass_linux_amd64.tar.gz | tar xz sudo mv meowpass /usr/local/bin/mp mp vercel sync --project my-app --env production - name: Deploy to Vercel run: npx vercel --prod --token ${{ secrets.VERCEL_TOKEN }}

Env mapping: production → production, staging → preview, default → development. See full Vercel docs for all options.

Any CI/CD (CLI)

For GitLab CI, CircleCI, Jenkins, or any pipeline — use mp run or mp pull directly.

Generic CI pipeline
# Install curl -fsSL https://raw.githubusercontent.com/meowrithm/homebrew-tap/main/install.sh | bash # Pull secrets to .env mp pull --vault $VAULT_ID --env production # Or inject into a command directly (secrets stay in memory) mp run --vault $VAULT_ID -- npm run deploy

Drift Detection in CI

Use mp diff --exit-on-drift to fail builds when local .env is out of sync with the vault.

Pre-deploy check
# Fails with exit code 1 if .env differs from vault mp diff --vault $VAULT_ID --exit-on-drift

Git Hooks

Catch drift before it reaches CI. Install a pre-commit hook:

Terminal
# Warn-only (default) — shows diff but allows commit mp git-hook install --vault <id> # Strict mode — blocks commit if drift detected mp git-hook install --vault <id> --strict # Remove the hook mp git-hook uninstall