From 3f2bd29aaa336b69d52c0c3d11c76788143d4ca8 Mon Sep 17 00:00:00 2001 From: Joe Niland Date: Thu, 18 Jun 2026 17:35:59 +1000 Subject: [PATCH 1/4] docs: add overview section and document download command --- README.md | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/README.md b/README.md index 151b074..d892ce3 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,29 @@ Populate Gitlab Project Variables from .env file ================================================= +## Overview + +A command-line tool for managing a Gitlab project's CI/CD variables, scoped to a +Gitlab [environment](https://docs.gitlab.com/ee/ci/environments/) (e.g. `uat`, +`production`). It talks to the Gitlab API using a personal access token and lets +you move variables between a local `.env` file and Gitlab in both directions. + +It provides four commands: + +- `write` — read a local `.env` file and create or update the matching + project variables in the given environment scope. Supports `--include` / + `--exclude` filtering and `--mask` to mask values whose key contains `KEY`, + `SECRET`, or `TOKEN`. +- `list` — print the variables for an environment in a table. Masked values are + hidden unless you pass `--sensitive`. +- `get` — print the variables for an environment, optionally appending them to a + `.env` file with `--export`. +- `download` — write an environment's variables to a `.env` file, + prompting before overwriting an existing file. + +All commands target both the requested environment and globally-scoped (`*`) +variables. Requires a `GITLAB_TOKEN` environment variable. + ## Install Install as a global user tool (isolated environment, command on your PATH): @@ -56,3 +79,9 @@ populate-secrets-gitlab write \ ```shell populate-secrets-gitlab get --environment uat --gitlab-host gitlab.example.com --project my-group/my-project --export ``` + +### Download variables to an .env file + +```shell +populate-secrets-gitlab download --environment uat --gitlab-host gitlab.example.com --project my-group/my-project --output-dir . +``` From dafffde9bf26b486af302a1a82411e23f54a50b1 Mon Sep 17 00:00:00 2001 From: Joe Niland Date: Thu, 18 Jun 2026 18:11:48 +1000 Subject: [PATCH 2/4] refactor: drop invalid %s strftime code and trailing whitespace - Remove .%s from datefmt in logging.basicConfig (%s is not a valid strftime directive and renders literally). - Remove trailing blank line in gitlab_server.py. --- src/populate_secrets_gitlab/app.py | 2 +- src/populate_secrets_gitlab/gitlab_server.py | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/src/populate_secrets_gitlab/app.py b/src/populate_secrets_gitlab/app.py index 25342eb..48800aa 100644 --- a/src/populate_secrets_gitlab/app.py +++ b/src/populate_secrets_gitlab/app.py @@ -16,7 +16,7 @@ logging.basicConfig( level=logging.INFO, format='%(asctime)s %(levelname)s\t%(message)s', - datefmt='%Y-%m-%d_%H:%M:%S.%s', + datefmt='%Y-%m-%d_%H:%M:%S', handlers=[ logging.StreamHandler() ], diff --git a/src/populate_secrets_gitlab/gitlab_server.py b/src/populate_secrets_gitlab/gitlab_server.py index 705dad0..813533b 100644 --- a/src/populate_secrets_gitlab/gitlab_server.py +++ b/src/populate_secrets_gitlab/gitlab_server.py @@ -3,5 +3,3 @@ def gitlab_client(gitlab_host, gitlab_token): return gitlab.Gitlab(util.prepare_gitlab_host(gitlab_host), private_token=gitlab_token) - - \ No newline at end of file From bffe80f6ea022077e87c8ff0da20541af1f28e69 Mon Sep 17 00:00:00 2001 From: Joe Niland Date: Thu, 18 Jun 2026 18:12:03 +1000 Subject: [PATCH 3/4] docs: clarify masking heuristic is a substring match and one-way --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index d892ce3..2884cd8 100644 --- a/README.md +++ b/README.md @@ -12,8 +12,10 @@ It provides four commands: - `write` — read a local `.env` file and create or update the matching project variables in the given environment scope. Supports `--include` / - `--exclude` filtering and `--mask` to mask values whose key contains `KEY`, - `SECRET`, or `TOKEN`. + `--exclude` filtering and `--mask` to mask values whose key contains the + substring `KEY`, `SECRET`, or `TOKEN` (e.g. `APP_KEY`, `PUBLIC_KEY`, + `AUTH_TOKEN` will all be masked). Masking is one-way: an already-masked + variable is never un-masked by this tool. - `list` — print the variables for an environment in a table. Masked values are hidden unless you pass `--sensitive`. - `get` — print the variables for an environment, optionally appending them to a From e41692805a4f5705772098c25284a3e1fbce6496 Mon Sep 17 00:00:00 2001 From: Joe Niland Date: Thu, 18 Jun 2026 18:12:22 +1000 Subject: [PATCH 4/4] ci: add lint and test check workflow on pull requests --- .github/workflows/check.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 .github/workflows/check.yml diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml new file mode 100644 index 0000000..9ca50d2 --- /dev/null +++ b/.github/workflows/check.yml @@ -0,0 +1,25 @@ +name: Check + +on: + pull_request: + push: + branches-ignore: + - master + +jobs: + lint-and-test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - uses: astral-sh/setup-uv@v6 + + - uses: actions/setup-python@v5 + with: + python-version: "3.9" + + - run: uv sync --group dev + + - run: uv run ruff check . + + - run: uv run pytest