mirror of
https://github.com/bahdotsh/wrkflw.git
synced 2026-05-18 05:05:35 +02:00
4c0f890ba7
* docs: gut the documentation bloat and remove dead files The documentation had grown into the kind of sprawling mess where the same feature gets explained three times in three different files, none of which agree with each other. The main README alone was 610 lines of duplicated sections, speculative roadmaps, and verbose limitation disclaimers that nobody reads. Remove 12 files that had no business existing: junk test files (hello.cpp, hello.rs, test.py), duplicate agent configs, a 487-line Podman testing manual, unused asciinema recordings, and 7MB of unreferenced GIF files. Merge the useful bits from GITLAB_USAGE.md into the main README where they belong. Rewrite the main README from 610 lines down to ~170. Every feature is mentioned once, in one place, with one example. The crate README now actually lists all 14 crates instead of pretending secrets doesn't exist. Net result: 3,819 lines deleted, 197 added. The documentation now fits in your head, which is the whole point. * docs: update crate READMEs for latest features and trim secrets The crate READMEs were quietly falling behind the actual code. The executor README didn't mention --job, environment file read-back, or job-level container directives. The UI README didn't mention job selection mode or the tui feature flag. The evaluator README didn't mention composite action input cross-checking. Meanwhile, the secrets README was 387 lines of documentation for a crate whose siblings average 25. It had full provider configuration examples, rate limiting docs, input validation specs, and benchmarking instructions — all of which belong in rustdoc, not a README that's supposed to give you a quick overview. Trim secrets to ~80 lines. Update executor, ui, evaluator, and wrkflw READMEs to reflect features from PRs #77-#83.
Secrets Management Demo
Demonstrates wrkflw's secrets management system with multiple providers and GitHub Actions-compatible syntax.
Quick Start
Environment Variables (Simplest)
export GITHUB_TOKEN="ghp_your_token_here"
export API_KEY="your_api_key"
Create a workflow that uses secrets:
# .github/workflows/secrets-demo.yml
name: Secrets Demo
on: [push]
jobs:
test-secrets:
runs-on: ubuntu-latest
steps:
- name: Use GitHub Token
run: |
curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
https://api.github.com/user
- name: Use API Key
env:
KEY: ${{ secrets.API_KEY }}
run: echo "Using API key"
Run with wrkflw:
wrkflw run .github/workflows/secrets-demo.yml
File-based Secrets
Create a secrets file in JSON, YAML, or .env format:
{
"API_KEY": "your_api_key_here",
"DB_PASSWORD": "secure_database_password",
"GITHUB_TOKEN": "ghp_your_github_token"
}
Configure wrkflw:
# ~/.wrkflw/secrets.yml
default_provider: file
enable_masking: true
timeout_seconds: 30
providers:
file:
type: file
path: "./secrets.json"
External Secret Managers
For production, use HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, or GCP Secret Manager:
# ~/.wrkflw/secrets.yml
default_provider: vault
enable_masking: true
enable_caching: true
cache_ttl_seconds: 300
providers:
vault:
type: vault
url: "https://vault.company.com"
auth:
method: token
token: "${VAULT_TOKEN}"
mount_path: "secret"
aws:
type: aws_secrets_manager
region: "us-east-1"
Secret Masking
wrkflw automatically masks secrets in logs:
# Original: "token": "ghp_1234567890abcdef"
# Masked: "token": "ghp_***"
Auto-detected patterns: GitHub tokens (ghp_*, ghs_*, gho_*), AWS keys (AKIA*), JWTs, and generic API keys.
Multi-Provider Usage
Reference secrets from specific providers:
steps:
- run: echo "${{ secrets.env:API_KEY }}" # from env provider
- run: echo "${{ secrets.file:DB_PASSWORD }}" # from file provider
- run: echo "${{ secrets.vault:api-key }}" # from Vault
Security Best Practices
- Development: use environment variables or file-based secrets
- Production: use external secret managers (Vault, AWS, Azure, GCP)
- Always enable
enable_masking: true - Rotate secrets regularly
- Use least-privilege access for providers
See the wrkflw-secrets crate README for full API documentation.