No description
- Go 100%
Heiko Schlittermann (HS12-RIPE)
4c7a7a7b5e
Previously, quoting only protected values from || splitting but TrimSpace was still applied. Now quoted plain:/file: values preserve their content verbatim, matching user expectation that quotes mean "take literally". |
||
|---|---|---|
| cmd/secret | ||
| .gogogo.conf | ||
| .golangci.yml | ||
| CLAUDE.md | ||
| go.mod | ||
| go.sum | ||
| LICENSE.txt | ||
| netrc.go | ||
| netrc_test.go | ||
| README.md | ||
| secret.go | ||
| secret_test.go | ||
secret
This package allows simple "encoding" of secret values in configuration files:
user: hans
pass: env:USERPASS
The secret value consists of a schema, and one or more values. Currently supported schemes are:
- plain, pass: the value itself is the secret, with whitespace trimmed
- raw: the value itself is the secret
- env: the actual value is taken literally from the referenced environment variable. The variable is unset after first access.
- file: the actual value is taken from the referenced file, with whitespace trimmed. The file must have 0600 or 0400 permissions.
- rawfile: as file, but literally
- netrc: the value is read from a ~/.netrc file (override via $NETRC_FILE).
Format:
netrc:[<login>@]<machine>[/<field>]where field is one of password (default), login, or account.
Autodetection of schema is attempted for absolute path names (as file)
and for environment variables (prefix $).
Fallback
Multiple specs can be chained with || — candidates are tried
left-to-right, the first success wins:
pass: env:SECRET_TOKEN||file:/run/secrets/token||plain:default
Whitespace around || is allowed:
pass: env:TOKEN || file:/run/secrets/token || plain:default
Quoting
Values may be quoted with single or double quotes (identical behavior)
to protect literal || or surrounding whitespace:
pass: plain:"has || inside"||env:FALLBACK
pass: file:'/path with spaces/secret'
pass: raw:" preserve leading/trailing spaces "
Quotes wrap only the value, not the scheme prefix.