Secrets for your pipelines
Inject encrypted secrets into your CI/CD pipelines with access tokens. Your hosting provider never sees your actual secret values.
How access tokens work
Access tokens provide secure, scoped access to your project's secrets without exposing your encryption keys.
1. Create Token
Generate an access token in Envie with an optional expiration date
2. Token Contains Key
The token embeds an encrypted project key that only the CLI can decrypt
3. CLI Fetches Config
The CLI uses the token to fetch encrypted config from Envie servers
4. Decrypts Locally
Secrets are decrypted in your pipeline and exported as environment variables
Zero Exposure to Hosting Providers
Your secrets are fetched at runtime and never stored in your CI/CD platform. Vercel, AWS, or any provider never sees your actual values.
Instant Secret Rotation
Rotate secrets in Envie and all deployments automatically use the new values on next run. No manual updates across platforms.
Audit Trail
Track which tokens accessed which secrets and when. Full visibility into your CI/CD secret usage.
Scoped Access
Create tokens with read-only access to specific projects. Each pipeline only sees what it needs.
Using with Docker
Inject secrets at build time or runtime without storing them in your image layers.
Multi-stage Dockerfile
FROM node:20-alpine AS builder
# Install Envie CLI
RUN npm install -g @envie/cli
# Build argument for the token
ARG ENVIE_TOKEN
# Fetch and export secrets
RUN envie export --token $ENVIE_TOKEN > .env
# Your build steps here
RUN npm ci && npm run build
# Production image - no secrets!
FROM node:20-alpine
COPY --from=builder /app/dist ./dist
CMD ["node", "dist/index.js"]Build Command
docker build \
--build-arg ENVIE_TOKEN=$ENVIE_TOKEN \
-t my-app .Secrets never in image
The .env file is only present during the build stage. The final production image contains no secrets.
GitHub Actions Example
Fetch secrets at workflow runtime. Store only the access token in GitHub Secrets.
name: Deploy
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Envie CLI
run: npm install -g @envie/cli
- name: Load secrets
run: |
envie export --token ${{ secrets.ENVIE_TOKEN }} > .env
# Or inject directly into environment
source <(envie export --token ${{ secrets.ENVIE_TOKEN }} --format shell)
- name: Deploy
run: npm run deployOnly one secret to manage
Store only the ENVIE_TOKEN in GitHub. All other secrets are fetched at runtime.
Always up to date
Rotate secrets in Envie and deployments automatically use new values.
Deploy to new environments instantly
Spinning up a new staging environment or onboarding a new developer? One command pulls all the secrets they need. No more copying .env files or waiting for access to secret managers.
- New developer? Share a token, they're ready in seconds
- New staging environment? Same config as production, one command
- Disaster recovery? Rebuild with all secrets intact
Where to use it
Docker Builds
Inject secrets during container builds without baking them into images.
GitHub Actions
Fetch secrets at workflow runtime instead of storing in repository secrets.
Kubernetes Deployments
Generate ConfigMaps and Secrets on the fly during deployment.
Local Development
New team members can bootstrap their environment in seconds.
Ready to secure your CI/CD?
Get started with Envie CLI and stop exposing secrets to your hosting providers. Check out the documentation on GitHub.