Skip to content
envpacket / envpkt

CI/CD Integration

envpkt integrates into CI/CD pipelines for automated credential health checks.

CI Agent Configuration

Section titled “CI Agent Configuration”

Create an envpkt.toml for your CI agent:

version = 1


[identity]
name = "deploy-bot"
consumer = "ci"
description = "CI/CD deployment agent"
capabilities = ["build", "test", "deploy"]
expires = "2026-12-31"


[lifecycle]
stale_warning_days = 45
require_expiration = true


[secret.GITHUB_TOKEN]
service = "github"
purpose = "Clone repos and create deployment status checks"
capabilities = ["repo:read", "deployments:write"]
created = "2026-02-01"
expires = "2026-08-01"
source = "ci"


[secret.DOCKER_REGISTRY_TOKEN]
service = "ghcr.io"
purpose = "Push container images"
capabilities = ["packages:write"]
created = "2026-02-01"
expires = "2026-08-01"
source = "ci"

Strict Audit in Pipelines

Section titled “Strict Audit in Pipelines”

Use --strict to fail the build on any non-healthy secret:

Terminal window
envpkt audit --strict --format json

Exit codes:

  • 0 — all secrets healthy, pipeline continues
  • 1 — degraded, some warnings
  • 2 — critical, expired or missing secrets

GitHub Actions

Section titled “GitHub Actions”

The envpkt GitHub Action resolves your sealed credentials into the job environment (masked in the log) and, with strict, gates the build on credential health — no hand-rolled install steps:

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5


      - uses: jordanburke/envpkt@v0.12.0
        with:
          config: ./envpkt.toml
          strict: "true"
        env:
          ENVPKT_AGE_KEY: ${{ secrets.ENVPKT_AGE_KEY }}


      - run: ./deploy.sh # sees resolved vars; secret values redacted in the log

Commit sealed (encrypted_value) packets to the repo and supply the age private key as the ENVPKT_AGE_KEY secret — see the GitHub Action and env github docs for the resolution model and masking details.

Audit-only (no injection)

Section titled “Audit-only (no injection)”

For a standalone health gate that doesn’t inject anything, run the CLI directly:

- uses: actions/checkout@v5
- uses: actions/setup-node@v5
  with:
    node-version: 24
- run: npx envpkt audit --strict --format json
- run: npx envpkt env check --strict

Fleet Scanning in CI

Section titled “Fleet Scanning in CI”

For monorepos or multi-agent deployments:

- name: Fleet health check
  run: envpkt fleet --format json --status critical

Pre-deployment Gate

Section titled “Pre-deployment Gate”

Use envpkt exec to gate deployments on credential health:

Terminal window
envpkt exec --strict -- ./deploy.sh

This runs the audit first and aborts if any secret is expired or missing.