CI/CD Integration
envpkt integrates into CI/CD pipelines for automated credential health checks.
CI Agent Configuration
Section titled “CI Agent Configuration”Create an envpkt.toml for your CI agent:
version = 1
[agent]name = "deploy-bot"consumer = "ci"description = "CI/CD deployment agent"capabilities = ["build", "test", "deploy"]expires = "2026-12-31"
[lifecycle]stale_warning_days = 45require_expiration = true
[meta.GITHUB_TOKEN]service = "github"purpose = "Clone repos and create deployment status checks"capabilities = ["repo:read", "deployments:write"]created = "2026-02-01"expires = "2026-08-01"source = "ci"
[meta.DOCKER_REGISTRY_TOKEN]service = "ghcr.io"purpose = "Push container images"capabilities = ["packages:write"]created = "2026-02-01"expires = "2026-08-01"source = "ci"Strict Audit in Pipelines
Section titled “Strict Audit in Pipelines”Use --strict to fail the build on any non-healthy secret:
envpkt audit --strict --format jsonExit codes:
0— all secrets healthy, pipeline continues1— degraded, some warnings2— critical, expired or missing secrets
GitHub Actions
Section titled “GitHub Actions”name: Credential Auditon: schedule: - cron: "0 9 * * 1" # Weekly Monday 9am push: paths: - "envpkt.toml"
jobs: audit: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 with: node-version: 20
- name: Install envpkt run: npm install -g envpkt
- name: Audit credentials run: envpkt audit --strict --format json
- name: Check drift run: envpkt env check --strictFleet Scanning in CI
Section titled “Fleet Scanning in CI”For monorepos or multi-agent deployments:
- name: Fleet health check run: envpkt fleet --format json --status criticalPre-deployment Gate
Section titled “Pre-deployment Gate”Use envpkt exec to gate deployments on credential health:
envpkt exec --strict -- ./deploy.shThis runs the audit first and aborts if any secret is expired or missing.