CI/CD Integration

Restore your app’s config and secret files in build and deployment pipelines using scoped CI tokens.

CI Tokens

Files are end-to-end encrypted. When you create a CI token, the project encryption key (DEK) is securely wrapped so only that token can unwrap it. In the pipeline the CLI uses the token to unwrap the DEK and decrypt files locally — the server never sees plaintext.

CI tokens are long-lived, non-interactive API tokens scoped to a specific app and environment within a project.

Generating a Token

Open your project and go to Settings > CI/CD Tokens.
Click Generate Token and configure:

Setting	Description
Name	Descriptive name (e.g., `github-actions-prod`).
App	The app this token can read. Apps come from files you’ve pushed.
Environment	The environment slug this token can read (e.g., `prod`, `staging`).
Expires after	1 hour, 24 hours, 7 days, 30 days, 90 days, 1 year, or a custom date.
IP Allowlist	Optional. Restrict to specific IPs or CIDR ranges.

Unlock your vault (required to wrap the project key), click Generate Token, and copy it — it is shown only once.

Token Scoping

Each token is bound to one app and one environment. A ci pull with that token returns the app’s base files plus the files for the token’s selected environment. A compromised token has minimal blast radius — generate separate tokens per app/environment.

Revoking

Revoke tokens at any time from the CI/CD Tokens settings page. Revoked tokens are rejected immediately. Token usage is logged for auditing (timestamp, IP, last used).

CLI Usage

Set DEPVAULT_TOKEN as an environment variable in your CI provider, then run ci pull. The CLI fetches the encrypted blobs, decrypts them client-side, and writes each file to its original repo-relative path, recreating directories:


depvault ci pull

Flag	Description	Default
`--output`	Directory to restore files into.	Current directory
`--format`	Summary format for the list of written files: `text`, `json`.	`text`

The token alone determines the project, app, and environment — no project, app, or environment flags are needed. Because files are restored verbatim to their paths, your pipeline reads them exactly where your app already expects them (e.g. apps/backend/.env, apps/backend/appsettings.Production.json).

If you need files for multiple apps or environments in the same pipeline, generate a separate token for each and run ci pull once per token.

Pipeline Examples

GitHub Actions

Store DEPVAULT_TOKEN as a repository secret. Use the setup-depvault action to install the CLI and configure the token in one step.


name: Deploy
on:
  push:
    branches: [main]
 
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
 
      - name: Setup DepVault CLI
        uses: suxrobGM/depvault@v1
        with:
          token: ${{ secrets.DEPVAULT_TOKEN }}
 
      - name: Restore config & secret files
        run: depvault ci pull
 
      - name: Build and deploy
        run: |
          npm ci
          npm run build

ci pull writes each file back to its original path, so build and deploy steps find .env, appsettings.*.json, and secret files exactly where the app expects them. If you need a specific .env exported into the GitHub Actions environment, source it explicitly after the pull:


      - name: Export backend env
        run: cat apps/backend/.env >> $GITHUB_ENV

To restore files for multiple apps or environments, use separate tokens:


- name: Restore backend (prod)
  env:
    DEPVAULT_TOKEN: ${{ secrets.DEPVAULT_BACKEND_PROD_TOKEN }}
  run: depvault ci pull
 
- name: Restore worker (prod)
  env:
    DEPVAULT_TOKEN: ${{ secrets.DEPVAULT_WORKER_PROD_TOKEN }}
  run: depvault ci pull

The action accepts these inputs:

Input	Description	Default
`version`	CLI version to install (e.g. `v1.1.0`).	`latest`
`token`	DepVault CI token. Sets `DEPVAULT_TOKEN` automatically.	—

GitLab CI

Store DEPVAULT_TOKEN as a masked CI/CD variable.


deploy:
  stage: deploy
  image: node:20
  before_script:
    - curl -fsSL https://get.depvault.com | bash
  script:
    - depvault ci pull
    - npm ci
    - npm run build
  variables:
    DEPVAULT_TOKEN: $DEPVAULT_TOKEN
  only:
    - main

Azure DevOps

Store the token as a secret pipeline variable.


trigger:
  branches:
    include: [main]
 
pool:
  vmImage: "ubuntu-latest"
 
steps:
  - script: curl -fsSL https://get.depvault.com | bash
    displayName: Install DepVault CLI
 
  - script: depvault ci pull
    displayName: Restore config & secret files
    env:
      DEPVAULT_TOKEN: $(DEPVAULT_TOKEN)
 
  - script: npm ci && npm run build
    displayName: Build

Docker Build

Restore files into the build context, then mount the one you need as a build secret without baking it into the image:


depvault ci pull --output .
docker build --secret id=env,src=apps/backend/.env -t myapp .
rm apps/backend/.env


FROM node:20-alpine AS build
WORKDIR /app
COPY . .
RUN --mount=type=secret,id=env,target=/app/.env npm run build
 
FROM node:20-alpine
WORKDIR /app
COPY --from=build /app/dist ./dist
CMD ["node", "dist/index.js"]

Troubleshooting

Error	Cause
`DEPVAULT_TOKEN is not set`	Set the environment variable in your CI config.
`401 Unauthorized`	Token is expired, revoked, or invalid.
`403 Forbidden`	IP not in allowlist or scope mismatch.
`Restored 0 file(s)`	No files in the token’s scoped app/environment (plus `base`).
CLI not found	Verify the installation step completed and the binary is on PATH.