Using logi in CI/CD
Automate logi in GitHub Actions, GitLab CI, Jenkins, and more.
Before the official CLI release
The logi CLI is still getting ready for release. The examples on this page are written against a package manager and install script so you can use them as-is after the official release, but for now we recommend verifying behavior with a binary you build from source.
Authentication: environment variable
You can't run browser OAuth on a CI machine, so issue a PAK (Personal API Key) and provide it through an environment variable:
export LOGI_API_KEY=lpa_pat_xxxxxxxxxxxxx
export LOGI_API_URL=https://api.1pass.dev
logi whoami # → authenticates with the PAK automaticallyIssue a PAK at start.1pass.dev/settings/api-keys.
GitHub Actions example
# .github/workflows/rotate-secret.yml
name: Rotate logi secret monthly
on:
schedule:
- cron: "0 0 1 * *" # the 1st of every month at 00:00 UTC
workflow_dispatch:
jobs:
rotate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install logi CLI
run: |
# Currently distributed as a Ruby gem. A script installer is coming later.
gem install logi-cli
- name: Rotate
env:
LOGI_API_KEY: ${{ secrets.LOGI_API_KEY }}
run: |
# Extract client_secret from rotate-secret output (--json not yet supported)
NEW_SECRET=$(logi apps rotate-secret ${{ vars.LOGI_APP_ID }} | awk '/client_secret:/ {print $2}')
echo "::add-mask::$NEW_SECRET"
gh secret set OAUTH_CLIENT_SECRET --body "$NEW_SECRET" --repo my-org/my-app
env:
GH_TOKEN: ${{ secrets.GH_PAT }}Automating secret rotation
Recommended cadence:
- Once a month — typical production apps
- Once a week — apps that handle payments or sensitive data
- Immediately — whenever you suspect exposure
A GitHub Actions matrix pattern for rotating several apps at once:
strategy:
matrix:
app: [my-web, my-mobile-bff, my-admin]
steps:
- run: logi apps rotate-secret ${{ matrix.app }}Environment variable reference
| Variable | Default | Description |
|---|---|---|
LOGI_API_KEY | (none) | PAK. When set, the credentials file is ignored |
LOGI_API_URL | https://api.1pass.dev | Change for self-hosting |
LOGI_PORTAL_URL | https://start.1pass.dev | Change for self-hosting |
LOGI_CONFIG_PATH | ~/.config/logi/credentials.json | Move to a different path |
LOGI_OUTPUT | (TTY: human / otherwise: json) | Force json or human |
Exit codes
The CLI runs on Thor.exit_on_failure?. It returns 0 on success and 1 on failure. Granular error codes (separate auth / permission / network) are coming later.
PAK masking
In output such as whoami, a PAK shows only its 18-character prefix.