Bug: Doppler env vars get exported along with secrets

Is there an existing issue for this?

[X] I have searched the existing issues

Orb version

1.3.0

Current behavior

When the load_secrets command is invoked the following doppler command gets executed:

doppler secrets download --no-file --format env > dopplerenv

Source: https://github.com/ft-circleci-orbs/doppler-circleci-orb/blob/a156fa0809694c0d7ee0dba40224aef960a9f02a/src/scripts/load_secrets_to_env.sh#L3C1-L3C41

The output of which might be something like this:

DOPPLER_CONFIG="dev_rob"
DOPPLER_ENVIRONMENT="dev"
DOPPLER_PROJECT="isolated-dev-env-examples"
SUPER_SECRET="Hi, Rob"

Notice the DOPPLER prefixed env vars. These aren't project secrets, but metadata about the Doppler project, environment and config. These then get converted into export statements and written to $BASH_ENV to make them available.

The problem with this is that the presence of these env vars impacts any future calls to load_secrets. For example, if you need to pull secrets from 2 different projects or configs within the same CircleCI job an error will result.

See this thread from Kiya:

https://financialtimes.slack.com/archives/C02ST9MNV0S/p1698242227874879

Minimum reproduction config

Invoke load_secrets more than once in the same job using different tokens:

  steps:
    - checkout
    - doppler-circleci/install
    - doppler-circleci/load_secrets:
         doppler_token: DOPPLER_TOKEN_SHARED
    - doppler-circleci/load_secrets:
         doppler_token: DOPPLER_TOKEN_TEST

Other

I suspect the fix is to remove the DOPPLER_* variables before we write to $BASH_ENV e.g.

doppler secrets download --no-file --format env | grep -v 'DOPPLER_CONFIG|DOPPLER_PROJECT|DOPPLER_ENVIRONMENT' > dopplerenv

We should also delete the dopplerenv file after exporting to $BASH_ENV, so it's not on the file system and therefore cannot be cached inadvertently.

ft-circleci-orbs / doppler-circleci-orb