Notice the DOPPLER prefixed env vars. These aren't project secrets, but metadata about the Doppler project, environment and config. These then get converted into export statements and written to $BASH_ENV to make them available.
The problem with this is that the presence of these env vars impacts any future calls to load_secrets. For example, if you need to pull secrets from 2 different projects or configs within the same CircleCI job an error will result.
Is there an existing issue for this?
Orb version
1.3.0
Current behavior
When the load_secrets command is invoked the following doppler command gets executed:
doppler secrets download --no-file --format env > dopplerenv
Source: https://github.com/ft-circleci-orbs/doppler-circleci-orb/blob/a156fa0809694c0d7ee0dba40224aef960a9f02a/src/scripts/load_secrets_to_env.sh#L3C1-L3C41
The output of which might be something like this:
Notice the DOPPLER prefixed env vars. These aren't project secrets, but metadata about the Doppler project, environment and config. These then get converted into export statements and written to $BASH_ENV to make them available.
The problem with this is that the presence of these env vars impacts any future calls to load_secrets. For example, if you need to pull secrets from 2 different projects or configs within the same CircleCI job an error will result.
See this thread from Kiya:
https://financialtimes.slack.com/archives/C02ST9MNV0S/p1698242227874879
Minimum reproduction config
Invoke load_secrets more than once in the same job using different tokens:
Other
I suspect the fix is to remove the DOPPLER_* variables before we write to $BASH_ENV e.g.
doppler secrets download --no-file --format env | grep -v 'DOPPLER_CONFIG|DOPPLER_PROJECT|DOPPLER_ENVIRONMENT' > dopplerenv
We should also delete the dopplerenv file after exporting to $BASH_ENV, so it's not on the file system and therefore cannot be cached inadvertently.