mirror of
https://github.com/bahdotsh/wrkflw.git
synced 2026-05-18 05:05:35 +02:00
4c0f890ba7
* docs: gut the documentation bloat and remove dead files The documentation had grown into the kind of sprawling mess where the same feature gets explained three times in three different files, none of which agree with each other. The main README alone was 610 lines of duplicated sections, speculative roadmaps, and verbose limitation disclaimers that nobody reads. Remove 12 files that had no business existing: junk test files (hello.cpp, hello.rs, test.py), duplicate agent configs, a 487-line Podman testing manual, unused asciinema recordings, and 7MB of unreferenced GIF files. Merge the useful bits from GITLAB_USAGE.md into the main README where they belong. Rewrite the main README from 610 lines down to ~170. Every feature is mentioned once, in one place, with one example. The crate README now actually lists all 14 crates instead of pretending secrets doesn't exist. Net result: 3,819 lines deleted, 197 added. The documentation now fits in your head, which is the whole point. * docs: update crate READMEs for latest features and trim secrets The crate READMEs were quietly falling behind the actual code. The executor README didn't mention --job, environment file read-back, or job-level container directives. The UI README didn't mention job selection mode or the tui feature flag. The evaluator README didn't mention composite action input cross-checking. Meanwhile, the secrets README was 387 lines of documentation for a crate whose siblings average 25. It had full provider configuration examples, rate limiting docs, input validation specs, and benchmarking instructions — all of which belong in rustdoc, not a README that's supposed to give you a quick overview. Trim secrets to ~80 lines. Update executor, ui, evaluator, and wrkflw READMEs to reflect features from PRs #77-#83.
2.2 KiB
2.2 KiB
wrkflw-secrets
Secrets management for wrkflw workflow execution. Provides secure handling of secrets with multiple providers, encryption, masking, and GitHub Actions-compatible ${{ secrets.* }} substitution.
Features
- Providers: environment variables, files (JSON/YAML/.env), HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager
- Encryption: AES-256-GCM encrypted storage for secrets at rest
- Masking: automatic masking of secrets in logs (GitHub tokens, AWS keys, JWTs, etc.)
- Substitution: GitHub Actions-compatible
${{ secrets.* }}and${{ secrets.provider:name }}syntax - Caching: optional TTL-based cache for frequently accessed secrets
- Rate limiting: built-in protection against secret access abuse
- Validation: comprehensive input validation for secret names and values
Quick Start
use wrkflw_secrets::prelude::*;
#[tokio::main]
async fn main() -> SecretResult<()> {
let manager = SecretManager::default().await?;
std::env::set_var("GITHUB_TOKEN", "ghp_your_token_here");
let secret = manager.get_secret("GITHUB_TOKEN").await?;
// Substitute in templates
let mut sub = SecretSubstitution::new(&manager);
let resolved = sub.substitute("Bearer ${{ secrets.GITHUB_TOKEN }}").await?;
// Mask secrets in logs
let mut masker = SecretMasker::new();
masker.add_secret(secret.value());
println!("{}", masker.mask(&resolved));
Ok(())
}
Configuration
Create ~/.wrkflw/secrets.yml:
default_provider: env
enable_masking: true
timeout_seconds: 30
enable_caching: true
cache_ttl_seconds: 300
providers:
env:
type: environment
prefix: "WRKFLW_SECRET_"
file:
type: file
path: "~/.wrkflw/secrets.json"
vault:
type: vault
url: "https://vault.example.com"
auth:
method: token
token: "${VAULT_TOKEN}"
mount_path: "secret"
Feature Flags
[dependencies]
wrkflw-secrets = { version = "0.7", features = ["vault-provider", "aws-provider"] }
Available: env-provider (default), file-provider (default), vault-provider, aws-provider, azure-provider, gcp-provider, all-providers.
See the secrets demo for end-to-end usage examples.