search

twpayne / chezmoi

Manage your dotfiles across multiple diverse machines, securely.
https://www.chezmoi.io/
MIT License
13.04k stars 486 forks source link

Use 1Password for secret with GitHub code spaces #3880

Closed rayjlinden closed 2 months ago

rayjlinden commented 2 months ago

What exactly are you trying to do?

I have chezmoi working fine and my Mac. a linux machine and Github codespaces. (So cool!) However, I have a dot file that contains a token that should not be in my dot files repo.

Ok - chezmoi has this cool integration with 1Password. Let me use that! It's working fine on my Mac. I'm not sure how to make this work in GitHub codespaces.

I know how to install the 1Password app and sign into it. No problem.... I had hoped I could just do this part in the install.sh file.

But dotfile are loaded in codespaces it requires the install.sh file be non-interactive. So how do I get this to work?

What have you tried so far?

Describe what you have tried so far.

Where else have you checked for solutions?

Output of any commands you've tried with --verbose flag

$ chezmoi --verbose $COMMAND

Output of chezmoi doctor

```console RESULT CHECK MESSAGE ok version v2.51.0, commit Homebrew, built at 2024-07-15T19:36:30Z, built by Homebrew ok latest-version v2.51.0 ok os-arch darwin/arm64 ok uname Darwin Rayj-MacMini23.localdomain 23.5.0 Darwin Kernel Version 23.5.0: Wed May 1 20:14:38 PDT 2024; root:xnu-10063.121.3~5/RELEASE_ARM64_T6020 arm64 ok go-version go1.22.5 (gc) ok executable /opt/homebrew/bin/chezmoi ok upgrade-method brew-upgrade ok config-file ~/.config/chezmoi/chezmoi.toml, last modified 2024-07-25T21:28:22-07:00 warning source-dir ~/.local/share/chezmoi is a git working tree (dirty) ok suspicious-entries no suspicious entries warning working-tree ~/.local/share/chezmoi is a git working tree (dirty) ok dest-dir ~ is a directory ok umask 022 ok cd-command found /opt/homebrew/bin/bash ok cd-args /opt/homebrew/bin/bash info diff-command not set ok edit-command found /usr/bin/vi ok edit-args /usr/bin/vi ok git-command found /opt/homebrew/bin/git, version 2.45.2 ok merge-command found /usr/bin/vimdiff ok shell-command found /opt/homebrew/bin/bash ok shell-args /opt/homebrew/bin/bash info age-command age not found in $PATH info gpg-command gpg not found in $PATH info pinentry-command not set ok 1password-command found /opt/homebrew/bin/op, version 2.29.0 info bitwarden-command bw not found in $PATH info bitwarden-secrets-command bws not found in $PATH info dashlane-command dcli not found in $PATH info doppler-command doppler not found in $PATH info gopass-command gopass not found in $PATH info keepassxc-command keepassxc-cli not found in $PATH info keepassxc-db not set info keeper-command keeper not found in $PATH info lastpass-command lpass not found in $PATH info pass-command pass not found in $PATH info passhole-command ph not found in $PATH info rbw-command rbw not found in $PATH info vault-command vault not found in $PATH info vlt-command vlt not found in $PATH info secret-command not set ```

Additional context

Add any other context about the problem here.

twpayne commented 2 months ago

What you're asking for is impossible. You want to install a secret on a machine without any interaction on that machine. That means that anyone else can run the same sequence of commands and obtain your secret.

You have to either share data privately (e.g. use a private dotfiles repo) or share some kind of secret interactively.

Personally, I use the 1Password CLI and accept that I have to interactively enter my account details on any new machine.

In your case you probably want to use GitHub Codespace's existing secrets support. Note that this uses a "share data privately" mechanism under the hood.

rayjlinden commented 2 months ago

I ended up using the gh secrets in code spaces. So then I have a template that does the following: token: {{or (env "JIRA_API_TOKEN") (or (onepasswordRead "op://Work/Jira/JIRA_API_TOKEN") "no value set")}}

So it is set and as an environment variable (which I can set up for codes-aces it uses that). If that does not exist it will get the secret from one-password. (If that does't exist it will set it to "no value set".)

Seems to be working. So this work around may be fine...