storemyapi
Guides

CI/CD Integration

Use storemyapi in CI/CD pipelines to inject secrets at build and deploy time.

CI/CD Integration

The recommended CI/CD pattern is storemyapi env run, which fetches cloud keys and injects them directly into your build or deploy process. No secrets stored in CI environment variables, no .env files written to disk.

How it works

  1. Log in on a developer machine using the device flow (storemyapi login)
  2. Link the repo to a project (storemyapi link)
  3. In CI, install the CLI and reuse the stored auth token (copied from ~/.storemyapi/config.json)
  4. Run storemyapi env run -- <your-build-command>

Important: storemyapi login --no-browser does not complete authentication on its own. It only prints a URL and waits. There is no --token flag or STOREMYAPI_TOKEN environment variable. CI authentication requires storing the token from a prior device login and providing it to the runner.

A practical approach is to run storemyapi login once on a trusted machine, copy ~/.storemyapi/config.json, and store its contents as a CI secret. Then restore the file at the start of each pipeline run.

GitHub Actions example

name: Deploy
on:
  push:
    branches: [main]

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-node@v4
        with:
          node-version: 20

      - name: Install storemyapi CLI
        run: npm install -g storemyapi

      - name: Restore storemyapi credentials
        run: |
          mkdir -p ~/.storemyapi
          echo '${{ secrets.STOREMYAPI_CONFIG }}' > ~/.storemyapi/config.json

      - name: Build with cloud secrets injected
        run: storemyapi env run -- npm run build

      - name: Deploy
        run: npm run deploy

STOREMYAPI_CONFIG is a GitHub Actions secret containing the JSON contents of your ~/.storemyapi/config.json.

Pulling .env before build

If your build tooling reads from .env rather than process.env, pull first:

      - name: Pull secrets to .env
        run: storemyapi pull

      - name: Build
        run: npm run build

Make sure .env is in your .gitignore and not cached between runs.

Security notes

  • Store ~/.storemyapi/config.json as a single encrypted CI secret. Do not commit it.
  • Use a dedicated storemyapi account for CI rather than a personal account
  • Rotate the CI token periodically by logging in again and updating the secret
  • Avoid printing environment variables in CI logs

Share

Invite teammates to a project and manage their access permissions.

Team Workflows

Invite teammates, share project access, and onboard new developers.

On this page

CI/CD IntegrationHow it worksGitHub Actions examplePulling .env before buildSecurity notes