Simplify install-time secrets + scaffold render-time catalog#22
Merged
Conversation
Three secret-handling concerns in this repo, previously conflated into one
GITHUB_TOKEN cascade in the install-packages wrapper. Split into three
distinct mechanisms, each appropriate for its use case:
1. **Install-time** (GITHUB_TOKEN for mise rate limit) — drop the op→gh→anon
cascade. Keep ONLY `gh auth token` fallback (5 LOC, no disk persistence).
Pre-exported env still wins. Anonymous 60/hr usually fits a cold install
on a fast link; if hit, the existing partial-install warning in
`mise_install_tools()` surfaces three recovery options (gh auth login,
manual env, `op read`).
2. **Render-time** (target files like ~/.npmrc, ~/.aws/credentials that
must contain credentials on disk) — scaffold `.chezmoidata/secrets.yaml`
as the single source of truth for 1Password reference paths. Consumers
reference via `{{ onepasswordRead .op_refs.<key> }}` in
`private_dot_<file>.tmpl` templates (mode 0600). Catalog starts empty;
add entries when the first render-time consumer appears.
3. **Runtime CLI auth** (gh, aws, npm CLIs themselves) — documented as
1Password Shell Plugins (`op plugin init <cli>`). Not in any catalog;
`op` manages auth per CLI internally.
Wrapper LOC: 22 → 9 (token block). Backward-compat break: drop
`$DOTFILES_OP_GITHUB_REF` env override — was op-specific, no longer
applies. Users who want op-based GITHUB_TOKEN now set it explicitly:
`export GITHUB_TOKEN=$(op read '...')` once or in ~/.zshrc_local.
README §"1Password integration" rewritten to enumerate the three layers
with concrete recipes for each. §"GitHub API rate limit" trimmed to
point at the new install-time recovery options instead of duplicating
them. AGENTS.md install-script-split section updated to match.
CI: unaffected (`GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}` is set via
env directly, never used the cascade).
…ions Found in the secrets-architecture re-verification: README §"First-time bootstrap checklist" still said `install-packages auto-reads via op read`, and §"Recovery" mentioned `seed token in 1Password` as if that triggered auto-read. The op cascade was removed in the previous commit on this branch — those claims are now untrue. Rewrite: - §First-time bootstrap: drop the optional `gh auth login` / `op item create` pre-step. Anonymous works for cold install on a fast link; recovery is one command if rate-limited. - §Recovery: point at §"1Password integration → Install-time" for the full three-option recovery menu instead of duplicating partial info inline. - Drop the legacy `mac` reference from the chezmoi.toml stale-keys recipe (that translation was removed in commit ad604b9 last week). Pure docs accuracy. No code changes.
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Splits the previously-conflated GITHUB_TOKEN cascade into three distinct mechanisms, each fit for its concern:
GITHUB_TOKENfor mise rate limit) — drop op→gh→anon cascade; keep onlygh auth tokenfallback (5 LOC). Anonymous 60/hr GH API limit usually fits a cold install; recovery if hit via existingmise_install_tools()warning.~/.npmrc,~/.aws/credentials) — scaffold.chezmoidata/secrets.yamlwith anop_refs:catalog. Consumers reference via{{ onepasswordRead .op_refs.<key> }}inprivate_dot_<file>.tmpltemplates (mode 0600). Catalog starts empty.op plugin init <cli>).Breaking change
$DOTFILES_OP_GITHUB_REFenv override is gone (was op-specific). Users who want op-basedGITHUB_TOKENnow set it explicitly:~/.zshrc_local.Why
onepasswordRead, 1Password 10-min session, Shell Plugins), the three-layer split is the cleanest model.onepasswordReadis the right tool for files like.npmrc/.aws/credentials— these need the secret on disk anyway. Catalog avoids hardcodedop://...strings scattered across templates.Test plan
bats tests/unit/install-packages.bats— 31 pass + 1 skipchezmoi applyon Mac (workstation) — idempotent, rtk init still wires correctlychezmoi execute-template)unit+apply-core+apply-dev— should pass; CI injectsGITHUB_TOKENvia env directly, never used the cascadegh auth login(one-off) thenchezmoi apply— wrapper picks up viagh auth tokenautomaticallyFiles
.chezmoiscripts/run_onchange_after_50-install-packages.sh.tmpl.chezmoidata/secrets.yamllib/install-packages.shmise_install_tools()warning to three recovery optionsREADME.md§"1Password integration"README.md§"GitHub API rate limit"AGENTS.md§"Bootstrap script split"Out of scope
private_dot_npmrc.tmpl) lands when actually needed.