storemyapi
Guides

CI/CD Integration

Use storemyapi in your CI/CD pipelines to inject secrets at build and deploy time.

CI/CD Integration

storemyapi CLI integrates with any CI/CD system. Secrets are fetched at runtime and never stored in your repository or CI configuration.

General pattern

  1. Store your STOREMYAPI_TOKEN as a CI secret
  2. Install the CLI in your pipeline
  3. Pull secrets before your build/deploy step

GitHub Actions

name: Deploy
on:
  push:
    branches: [main]

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install storemyapi CLI
        run: curl -fsSL https://get.storemyapi.com/install.sh | sh

      - name: Pull production secrets
        run: storemyapi env pull -p my-saas-app -e production -o .env
        env:
          STOREMYAPI_TOKEN: ${{ secrets.STOREMYAPI_TOKEN }}

      - name: Build
        run: npm run build

      - name: Deploy
        run: npm run deploy

Alternative: inject directly into the process:

      - name: Build with secrets
        run: storemyapi env run -p my-saas-app -e production -- npm run build
        env:
          STOREMYAPI_TOKEN: ${{ secrets.STOREMYAPI_TOKEN }}

GitLab CI

deploy:
  image: node:20
  before_script:
    - curl -fsSL https://get.storemyapi.com/install.sh | sh
  script:
    - storemyapi env pull -p my-saas-app -e production -o .env
    - npm ci
    - npm run build
    - npm run deploy
  variables:
    STOREMYAPI_TOKEN: $STOREMYAPI_TOKEN

Docker

# Multi-stage build — secrets only available during build
FROM node:20-alpine AS builder
RUN curl -fsSL https://get.storemyapi.com/install.sh | sh

ARG STOREMYAPI_TOKEN
RUN storemyapi env pull -p my-saas-app -e production -o .env

COPY . .
RUN npm ci && npm run build

# Production image — no CLI, no .env file
FROM node:20-alpine
COPY --from=builder /app/.next ./.next
COPY --from=builder /app/node_modules ./node_modules
CMD ["npm", "start"]

Vercel

For Vercel deployments, use the build command hook:

{
  "scripts": {
    "prebuild": "npx @storemyapi/cli env pull -p my-saas-app -e production -o .env.local"
  }
}

Add STOREMYAPI_TOKEN to your Vercel project environment variables.

Security best practices

  • Use dedicated CI tokens — Create a separate API token for each CI environment
  • Limit token scope — Use read-only tokens for CI when possible
  • Rotate regularly — Rotate CI tokens on a schedule
  • Audit access — Check the audit log for unexpected access patterns
  • Never log secrets — Use --quiet flag and avoid echoing values

Config

Configure CLI defaults, authentication, and output preferences.

Team Workflows

Share and manage secrets across your team with projects, environments, and access controls.

On this page

CI/CD IntegrationGeneral patternGitHub ActionsGitLab CIDockerVercelSecurity best practices