<p align="center"> <strong>English</strong> | <a href="https://github.com/chekusu/shipkey/blob/main/README.zh.md">中文</a> | <a href="https://github.com/chekusu/shipkey/blob/main/README.ja.md">日本語</a> </p> # shipkey Scan, backup, and sync all your project API keys with one command. Powered by 1Password. ## Why - `.env` files get lost when you switch machines - Secrets scattered across GitHub, Cloudflare, and local files - New team members spend hours collecting API keys - No one remembers which permissions a token needs shipkey solves all of this. ## Quick Start ```bash # Install curl -fsSL https://shipkey.dev/install.sh | bash # Scan your project and launch the setup wizard shipkey setup ``` > **Tip:** `shipkey setup` will automatically open a web-based wizard connected to a local API server, guiding you through each provider with step-by-step instructions and saving keys to 1Password. ## How It Works ``` shipkey scan → Detect .env files, workflows, wrangler configs Generate shipkey.json with providers & permissions shipkey setup → Open browser wizard to enter API keys Save to 1Password + local .env.local/.dev.vars shipkey pull → Restore all keys from 1Password to local files New machine ready in seconds shipkey sync → Push secrets to GitHub Actions, Cloudflare Workers One command, all platforms ``` ## Commands ### `shipkey setup [dir]` Launch an interactive browser-based setup wizard. ```bash shipkey setup # Current directory, prod env shipkey setup -e dev # Dev environment shipkey setup --port 3000 # Specify API port shipkey setup --no-open # Don't auto-open browser ``` The wizard provides: - Step-by-step guides for each provider (Cloudflare, AWS, Stripe, etc.) - Auto-inferred permission recommendations from your project code - Save to 1Password with one click - CLI status checks (op, gh, wrangler) with install instructions ### `shipkey scan [dir]` Scan your project and generate `shipkey.json`. ```bash shipkey scan # Scan and write config shipkey scan --dry-run # Preview without writing ``` Detects: - `.env`, `.env.local`, `.env.example`, `.dev.vars`, `.envrc` - GitHub Actions workflow secrets - Wrangler bindings (KV, R2, D1, Queues, AI) - `package.json` dependencies (AWS SDK, Supabase, Stripe, etc.) Auto-infers required permissions per provider. ### `shipkey push [dir]` Push local env values to 1Password. ```bash shipkey push # Push dev env shipkey push -e prod # Push prod env shipkey push --vault myteam # Custom vault ``` ### `shipkey pull [dir]` Pull secrets from 1Password and generate local env files. ```bash shipkey pull # Pull dev env shipkey pull -e prod # Pull prod env shipkey pull --no-envrc # Skip .envrc generation shipkey pull --no-dev-vars # Skip .dev.vars generation ``` Generates: - `.envrc` with `op://` references for direnv - `.dev.vars` with resolved values for Cloudflare Workers ### `shipkey sync [target] [dir]` Sync secrets to external platforms. ```bash shipkey sync # Sync all targets shipkey sync github # GitHub Actions only shipkey sync cloudflare # Cloudflare Workers only ``` Supported targets: - **GitHub Actions** — sets repository secrets via `gh secret set` - **Cloudflare Workers** — sets secrets via `wrangler secret put` ### `shipkey list [dir]` List all stored secrets in 1Password. ```bash shipkey list # Current project shipkey list --all # All projects shipkey list -e prod # Filter by environment ``` ## Configuration `shipkey.json` is auto-generated by `shipkey scan`. You can also edit it manually. ```json { "project": "my-app", "vault": "shipkey", "providers": { "Cloudflare": { "fields": ["CLOUDFLARE_API_TOKEN", "CLOUDFLARE_ACCOUNT_ID"] }, "Stripe": { "fields": ["STRIPE_SECRET_KEY"] } }, "targets": { "github": { "owner/repo": ["CLOUDFLARE_API_TOKEN", "STRIPE_SECRET_KEY"] } } } ``` ## 1Password Storage Structure Secrets are stored at: ``` op://{vault}/{provider}/{project}-{env}/{FIELD} ``` Example: ``` op://shipkey/Cloudflare/my-app-prod/CLOUDFLARE_API_TOKEN op://shipkey/Stripe/my-app-dev/STRIPE_SECRET_KEY ``` ## Requirements - [Bun](https://bun.sh) runtime - [1Password CLI](https://developer.1password.com/docs/cli/) (`op`) ```bash brew install --cask 1password-cli ``` - [GitHub CLI](https://cli.github.com/) (`gh`) — for GitHub Actions sync - [Wrangler](https://developers.cloudflare.com/workers/wrangler/) — for Cloudflare Workers sync ## License MIT