Mirrors/wrkflw
1
0
Fork 0
mirror of https://github.com/bahdotsh/wrkflw.git synced 2026-05-18 13:16:04 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
wrkflw/crates/secrets
History
bahdotsh 5ac563d213 Release 0.8.0 
wrkflw@0.8.0
wrkflw-evaluator@0.8.0
wrkflw-executor@0.8.0
wrkflw-github@0.8.0
wrkflw-gitlab@0.8.0
wrkflw-logging@0.8.0
wrkflw-matrix@0.8.0
wrkflw-models@0.8.0
wrkflw-parser@0.8.0
wrkflw-runtime@0.8.0
wrkflw-secrets@0.8.0
wrkflw-trigger-filter@0.8.0
wrkflw-ui@0.8.0
wrkflw-utils@0.8.0
wrkflw-validators@0.8.0
wrkflw-watcher@0.8.0

Generated by cargo-workspaces
2026-04-22 00:22:41 +05:30
..
benches
src
feat(evaluator): make toJSON(needs) return nested needs object (#98)
2026-04-18 19:03:41 +05:30
tests
Cargo.toml
Release 0.8.0
2026-04-22 00:22:41 +05:30
README.md

README.md

wrkflw-secrets

Secrets management for wrkflw workflow execution. Provides secure handling of secrets with multiple providers, encryption, masking, and GitHub Actions-compatible ${{ secrets.* }} substitution.

Features

  • Providers: environment variables, files (JSON/YAML/.env), HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager
  • Encryption: AES-256-GCM encrypted storage for secrets at rest
  • Masking: automatic masking of secrets in logs (GitHub tokens, AWS keys, JWTs, etc.)
  • Substitution: GitHub Actions-compatible ${{ secrets.* }} and ${{ secrets.provider:name }} syntax
  • Caching: optional TTL-based cache for frequently accessed secrets
  • Rate limiting: built-in protection against secret access abuse
  • Validation: comprehensive input validation for secret names and values

Quick Start

use wrkflw_secrets::prelude::*;

#[tokio::main]
async fn main() -> SecretResult<()> {
    let manager = SecretManager::default().await?;

    std::env::set_var("GITHUB_TOKEN", "ghp_your_token_here");
    let secret = manager.get_secret("GITHUB_TOKEN").await?;

    // Substitute in templates
    let mut sub = SecretSubstitution::new(&manager);
    let resolved = sub.substitute("Bearer ${{ secrets.GITHUB_TOKEN }}").await?;

    // Mask secrets in logs
    let mut masker = SecretMasker::new();
    masker.add_secret(secret.value());
    println!("{}", masker.mask(&resolved));

    Ok(())
}

Configuration

Create ~/.wrkflw/secrets.yml:

default_provider: env
enable_masking: true
timeout_seconds: 30
enable_caching: true
cache_ttl_seconds: 300

providers:
  env:
    type: environment
    prefix: "WRKFLW_SECRET_"
  file:
    type: file
    path: "~/.wrkflw/secrets.json"
  vault:
    type: vault
    url: "https://vault.example.com"
    auth:
      method: token
      token: "${VAULT_TOKEN}"
    mount_path: "secret"

Feature Flags

[dependencies]
wrkflw-secrets = { version = "0.7", features = ["vault-provider", "aws-provider"] }

Available: env-provider (default), file-provider (default), vault-provider, aws-provider, azure-provider, gcp-provider, all-providers.

See the secrets demo for end-to-end usage examples.

Reference in New Issue View Git Blame Copy Permalink