HackerTrans
TopNewTrendsCommentsPastAskShowJobs

theozero

no profile record

Submissions

Show HN: Bumpy – versioning/changelog tool, fixed 120 open changesets issues

github.com
5 points·by theozero·2 months ago·0 comments

comments

theozero
·2 months ago·discuss
Check out varlock - it’s a free and open source toolkit to help with this. It has built in validation, extra protection for your secrets, and uses plugins to pull sensitive data from most common sources. Also has built in local encryption with biometric unlock.
theozero
·2 months ago·discuss
Get everything out of plaintext!

Varlock is a great and flexible way to do this.
theozero
·2 months ago·discuss
You might like varlock - it helps keep secrets out of plaintext by using plugins to pull from various backends (aws ssm, gcp, vault, 1pass, etc). Also has built in local encryption with shared team vaults coming soon.

Additionally provides pre commit scanning, log redaction, and much more.
theozero
·2 months ago·discuss
We piggyback on .env files with a new DSL rather than introducing a new file.

Using plugins that register new functions, you can fetch from many different backends (15 and growing). The main difference if I understand correctly is that the wiring of vars to where those things live does live in committed code, but is totally declarative and safe. It's also incredibly flexible since functions can be written to make things idiomatic for that backend. Keeping that within git makes sense to us, as you ideally want deployments to be immutable.

The other benefit is this gives you a way to manage both sensitive and non-sensitive config - with a single source of truth for validation, types, docs.
theozero
·2 months ago·discuss
Check out https://varlock.dev - it uses functions and a plugin system to pull from different backends. But also allows composing values together in whatever way you like, has built in validation, extra protection for secrets, and a ton more.
theozero
·2 months ago·discuss
check out https://bumpy.varlock.dev - still a bit of work to do to make other languages even easier, but it fixes a few things with changesets around custom publishing.
theozero
·3 months ago·discuss
Totally - the only completely safe way is to inject keys in a proxy and keep them out of the process. But getting them totally out of plaintext is a great first step, both to keep it from AI and malicious scripts that are looking for keys.
theozero
·3 months ago·discuss
You will probably like varlock - it helps get your keys out of plaintext, while giving your agents a schema and additional tools so it can interact with env vars safely. The next step is injecting your keys via proxy, but just varlock is a huge improvement as a first step. Generally provides a ton of quality of live improvements as well, whether working solo or on a team.
theozero
·3 months ago·discuss
Another tool that helps here is https://varlock.dev (free + open source!)

There are plugins for many different secret storage solutions, including infisical - as well as native local encryption (ie secure enclave on mac) that will be released very soon.

Plus it adds validation, imports, log redaction, leak prevention, and a ton more.
theozero
·3 months ago·discuss
Check out https://varlock.dev - it makes .env files useful and safer!
theozero
·4 months ago·discuss
You might like https://varlock.dev (free and open source) - it has a plugin system so you can follow this pattern but pull from many different backends. Plus it provides a lot more... like being able to import shared config/schema from other files, validation, log redaction, composing values together with functions.

Keepass plugin is in an open PR, should be merged soon!
theozero
·4 months ago·discuss
You'll probably like https://varlock.dev (free and open source) Im just about to roll out similar built in secure-enclave encryption with fingerprint unlocking. But integrated into a larger tool that does validation, type generation, secrets protection, and a bunch more cool stuff!
theozero
·4 months ago·discuss
Check out https://varlock.dev for a modern take on .env that gets your secrets out of plaintext. Free and open source - works with tons of tools. Adds validation, type safety, lots of nice features.
theozero
·4 months ago·discuss
Reading from 1Password definitely does add some overhead, but at least our integration fetches in bulk so should be ~2s total and not scale with number of secrets. For team members, they don't need any service accounts, so its just making sure they are granted vault access, which can be managed through team settings you likely already have set up anyway. Add new team member to "devs" and you're done. Anyway certainly not perfect, but sure beats a lot of the other options.

Should be easy enough to set up a keyenv plugin - varlock adds a lot of additional last mile tooling to get secrets/config integrated into projects, regardless of where they ultimately live.
theozero
·4 months ago·discuss
While the 1Password model is not perfect, you can organize your vaults however makes sense for your project. You can do prod/staging/dev, or by projects, etc. Or you can use the new environments feature and create a separate "environment" for each. Service accounts and users can be granted access to specific vaults only.

The huge benefit is that if you are already using it for other stuff, there is no additional "secret zero" to set up - plus you get biometric unlock for your secrets.

Easiest way to use it for dev purposes is varlock (although I'm biased since I created it).

https://github.com/dmno-dev/varlock
theozero
·4 months ago·discuss
You will probably really like https://varlock.dev

It’s a whole toolkit for this - with built in validation, type safety, and extra protection for sensitive secrets.
theozero
·5 months ago·discuss
You might like https://varlock.dev - it lets you use a .env.schema file with jsdoc style comments and new function call syntax to give you validation, declarative loading, and additional guardrails. This means a unified way of managing both sensitive and non-sensitive values - and a way of keeping the sensitive ones out of plaintext.

Additionally it redacts secrets from logs (one of the other main concerns mentioned in these comments) and in JS codebases, it also stops leaks in outgoing server responses.

There are plugins to pull from a variety of backends, and you can mix and match - ie use 1Pass for local dev, use your cloud provider's native solution in prod.

Currently it still injects the secrets via env vars - which in many cases is absolutely safe - but there's nothing stopping us from injecting them in other ways.
theozero
·5 months ago·discuss
Thanks for the kind words. It's actually decoupled and up to the user if they want to use it for pure validation as part of CI/deployment, just to inject values, or to integrate more deeply. But you can get the most benefit by integrating it fully. This lets you set values, compose values using functions, take advantage of coercion, and helps protect your secrets.

You can just use `varlock run -- ...your command` and it will load, validate, and reinject as env vars. This is what enables it to be used with any language or any tool. We have a standalone binary. You could also just use `varlock load` to do validation and rely on values all being set externally. However we do provide javascript helpers to just load everything automatically - although this just calls out to the CLI, keeping your app isolated from the code that loads and validates the vars. For JS we actually go a bit further and patch http and console to protect any sensitive data - because we know exactly which config items are sensitive.

It's really meant to just be a complete complete toolkit and then let users integrate as deep as they want to.
theozero
·5 months ago·discuss
You might like varlock (https://varlock.dev)

You can use it to declaratively fetch from various backends, but it’s optional. At its core it lets you create a .env.schema and you get validation, type safety, guardrails for sensitive values, and a flexible toolkit to deal with all config related headaches.

The big difference from your tool (and many others) is that instead of trying to provide tooling to keep an example and other files in sync, the schema file is part of the loading process, so it can never be out of sync. This also helps create a single source of truth, and helps create a unified system to deal with all config - both sensitive and not.
theozero
·6 months ago·discuss
yeah for our DNS we use a little provider called... Cloudflare.

But hey some tokenized crypto dns provider is probably much more reliable! lol