Skip to content

chekusu/shipkey

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

27 Commits
.github/workflows
.github/workflows
 
 
src
src
 
 
test
test
 
 
.gitignore
.gitignore
 
 
README.ja.md
README.ja.md
 
 
README.md
README.md
 
 
README.zh.md
README.zh.md
 
 
bun.lock
bun.lock
 
 
package.json
package.json
 
 
tsconfig.json
tsconfig.json
 
 

Repository files navigation

English | 中文 | 日本語

shipkey

Scan, backup, and sync all your project API keys with one command. Powered by 1Password & Bitwarden.

Why

  • .env files get lost when you switch machines
  • Secrets scattered across GitHub, Cloudflare, and local files
  • New team members spend hours collecting API keys
  • No one remembers which permissions a token needs

shipkey solves all of this.

Quick Start

# Install
curl -fsSL https://shipkey.dev/install.sh | bash

# Scan your project and launch the setup wizard
shipkey setup

Tip: shipkey setup will automatically open a web-based wizard connected to a local API server, guiding you through each provider with step-by-step instructions and saving keys to your password manager (1Password or Bitwarden).

How It Works

shipkey scan     →  Detect .env files, workflows, wrangler configs
                    Generate shipkey.json with providers & permissions

shipkey setup    →  Open browser wizard to enter API keys
                    Save to password manager + local .env.local/.dev.vars

shipkey pull     →  Restore all keys from password manager to local files
                    New machine ready in seconds

shipkey sync     →  Push secrets to GitHub Actions, Cloudflare Workers
                    One command, all platforms

Supported Backends

Backend CLI Read Write List
1Password op
Bitwarden bw

Set the backend in shipkey.json:

{
  "backend": "bitwarden"
}

Default is "1password" if omitted (backwards compatible).

Commands

shipkey setup [dir]

Launch an interactive browser-based setup wizard.

shipkey setup                  # Current directory, prod env
shipkey setup -e dev           # Dev environment
shipkey setup --port 3000      # Specify API port
shipkey setup --no-open        # Don't auto-open browser

The wizard provides:

  • Step-by-step guides for each provider (Cloudflare, AWS, Stripe, etc.)
  • Auto-inferred permission recommendations from your project code
  • One-click save to 1Password or Bitwarden
  • CLI status checks (op/bw, gh, wrangler) with install instructions

shipkey scan [dir]

Scan your project and generate shipkey.json.

shipkey scan                   # Scan and write config
shipkey scan --dry-run         # Preview without writing

Detects:

  • .env, .env.local, .env.example, .dev.vars, .envrc
  • GitHub Actions workflow secrets
  • Wrangler bindings (KV, R2, D1, Queues, AI)
  • package.json dependencies (AWS SDK, Supabase, Stripe, etc.)

Auto-infers required permissions per provider.

shipkey push [dir]

Push local env values to your password manager.

shipkey push                   # Push dev env
shipkey push -e prod           # Push prod env
shipkey push --vault myteam    # Custom vault

shipkey pull [dir]

Pull secrets from your password manager and generate local env files.

shipkey pull                   # Pull dev env
shipkey pull -e prod           # Pull prod env
shipkey pull --no-envrc        # Skip .envrc generation
shipkey pull --no-dev-vars     # Skip .dev.vars generation

Generates:

  • .envrc with op:// references for direnv (1Password) or direct values (Bitwarden)
  • .dev.vars with resolved values for Cloudflare Workers

shipkey sync [target] [dir]

Sync secrets to external platforms.

shipkey sync                   # Sync all targets
shipkey sync github            # GitHub Actions only
shipkey sync cloudflare        # Cloudflare Workers only

Supported targets:

  • GitHub Actions — sets repository secrets via gh secret set
  • Cloudflare Workers — sets secrets via wrangler secret put

shipkey list [dir]

List all stored secrets in your password manager.

shipkey list                   # Current project
shipkey list --all             # All projects
shipkey list -e prod           # Filter by environment

Configuration

shipkey.json is auto-generated by shipkey scan. You can also edit it manually.

{
  "project": "my-app",
  "vault": "shipkey",
  "backend": "1password",
  "providers": {
    "Cloudflare": {
      "fields": ["CLOUDFLARE_API_TOKEN", "CLOUDFLARE_ACCOUNT_ID"]
    },
    "Stripe": {
      "fields": ["STRIPE_SECRET_KEY"]
    }
  },
  "targets": {
    "github": {
      "owner/repo": ["CLOUDFLARE_API_TOKEN", "STRIPE_SECRET_KEY"]
    }
  }
}

Storage Structure

1Password

Secrets are stored as items in a vault, organized by section:

op://{vault}/{provider}/{project}-{env}/{FIELD}

Example:

op://shipkey/Cloudflare/my-app-prod/CLOUDFLARE_API_TOKEN
op://shipkey/Stripe/my-app-dev/STRIPE_SECRET_KEY

Bitwarden

Secrets are stored as Secure Note items in a folder, using custom hidden fields:

Folder: {vault}
  Item: {provider}  (Secure Note)
    Field: {project}-{env}.{FIELD}  (Hidden)

Example:

Folder: shipkey
  Item: Cloudflare
    Field: my-app-prod.CLOUDFLARE_API_TOKEN = sk-xxx
  Item: Stripe
    Field: my-app-dev.STRIPE_SECRET_KEY = sk-xxx

Requirements

  • Bun runtime
  • One of the following password manager CLIs:
  • GitHub CLI (gh) — for GitHub Actions sync
  • Wrangler — for Cloudflare Workers sync

License

MIT

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

169 stars

Watchers

1 watching

Forks

7 forks
Report repository

Releases 10

v0.2.2 Latest
Feb 10, 2026
+ 9 releases

Packages

No packages published

Contributors 2

  •  
  •  

Languages