CI/CD Integration

Automate environment variable injection in your build and deployment pipelines using scoped CI tokens.

CI Tokens

CI tokens are long-lived, non-interactive API tokens scoped to a specific project, environment, and vault group.

Generating a Token

1. Open your project and go to Settings > CI Tokens.
2. Click Generate Token and configure:

3. Click Create and copy the token — it is shown only once.

Token Scoping

Each token is bound to a single project, environment, and vault group. A compromised token has minimal blast radius. Generate separate tokens per pipeline/environment.

Revocation

Revoke tokens at any time from the CI Tokens settings page. Revoked tokens are rejected immediately. Token usage is logged for auditing (timestamp, IP, action, status).

CLI Usage

Set DEPVAULT_TOKEN as an environment variable in your CI provider, then pull secrets:

depvault ci pull --format env --output .env

The token determines which project, environment, and vault group to pull from — no additional flags needed. If you need secrets from multiple vault groups in the same pipeline, generate a separate token for each and run ci pull once per token.

Pipeline Examples

GitHub Actions

Store DEPVAULT_TOKEN as a repository secret. Use the setup-depvault action to install the CLI and configure the token in one step.

name: Deploy
on:
  push:
    branches: [main]
 
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
 
      - name: Setup DepVault CLI
        uses: suxrobGM/depvault@v1
        with:
          token: ${{ secrets.DEPVAULT_TOKEN }}
 
      - name: Pull secrets
        run: |
          depvault ci pull --format env --output .env
          cat .env >> $GITHUB_ENV
 
      - name: Build and deploy
        run: |
          npm ci
          npm run build

The cat .env >> $GITHUB_ENV line makes all pulled variables available as environment variables in subsequent steps (e.g. ${{ env.DATABASE_URL }}). Without it, the .env file exists on disk but variables aren’t injected into the GitHub Actions environment.

To pull from multiple vault groups, use separate tokens:

- name: Pull API secrets
  env:
    DEPVAULT_TOKEN: ${{ secrets.DEPVAULT_API_TOKEN }}
  run: depvault ci pull --format env --output api.env
 
- name: Pull deploy secrets
  env:
    DEPVAULT_TOKEN: ${{ secrets.DEPVAULT_DEPLOY_TOKEN }}
  run: depvault ci pull --format env --output deploy.env

The action accepts these inputs:

GitLab CI

Store DEPVAULT_TOKEN as a masked CI/CD variable.

deploy:
  stage: deploy
  image: node:20
  before_script:
    - curl -fsSL https://get.depvault.com | bash
  script:
    - depvault ci pull --format env --output .env
    - npm ci
    - npm run build
  variables:
    DEPVAULT_TOKEN: $DEPVAULT_TOKEN
  only:
    - main

Azure DevOps

Store the token as a secret pipeline variable.

trigger:
  branches:
    include: [main]
 
pool:
  vmImage: "ubuntu-latest"
 
steps:
  - script: curl -fsSL https://get.depvault.com | bash
    displayName: Install DepVault CLI
 
  - script: depvault ci pull --format env --output .env
    displayName: Pull secrets
    env:
      DEPVAULT_TOKEN: $(DEPVAULT_TOKEN)
 
  - script: npm ci && npm run build
    displayName: Build

Docker Build

Inject secrets at build time without baking them into the image:

depvault ci pull --format env --output .env
docker build --secret id=env,src=.env -t myapp .
rm .env

FROM node:20-alpine AS build
WORKDIR /app
COPY . .
RUN --mount=type=secret,id=env,target=/app/.env npm run build
 
FROM node:20-alpine
WORKDIR /app
COPY --from=build /app/dist ./dist
CMD ["node", "dist/index.js"]

Troubleshooting