Using logi in CI/CD
Source:
en/cli/usage.md· Live: https://docs.1pass.dev/en/cli/usage LLM-sanitized: internal links absolutized, VitePress containers → admonitions, line numbers in the Jump-to Index reference this rendered file (1-indexed).
📍 Jump-to Index
- L25-L36: ## Authentication: environment variable
- L37-L68: ## GitHub Actions example
- L69-L86: ## Automating secret rotation
- L87-L96: ## Environment variable reference
- L97-L100: ## Exit codes
- L101-L104: ## PAK masking
- L105-L109: ## Next
Using logi in CI/CD
Automate logi in GitHub Actions, GitLab CI, Jenkins, and more.
⚠️ Warning: Before the official CLI release The
logiCLI is still getting ready for release. The examples on this page are written against a package manager and install script so you can use them as-is after the official release, but for now we recommend verifying behavior with a binary you build from source.
Authentication: environment variable
You can't run browser OAuth on a CI machine, so issue a PAK (Personal API Key) and provide it through an environment variable:
export LOGI_API_KEY=lpa_pat_xxxxxxxxxxxxx
export LOGI_API_URL=https://api.1pass.dev
logi whoami # → authenticates with the PAK automaticallyIssue a PAK at start.1pass.dev/settings/api-keys.
GitHub Actions example
# .github/workflows/rotate-secret.yml
name: Rotate logi secret monthly
on:
schedule:
- cron: "0 0 1 * *" # the 1st of every month at 00:00 UTC
workflow_dispatch:
jobs:
rotate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install logi CLI
run: |
# Currently distributed as a Ruby gem. A script installer is coming later.
gem install logi-cli
- name: Rotate
env:
LOGI_API_KEY: ${{ secrets.LOGI_API_KEY }}
run: |
# Extract client_secret from rotate-secret output (--json not yet supported)
NEW_SECRET=$(logi apps rotate-secret ${{ vars.LOGI_APP_ID }} | awk '/client_secret:/ {print $2}')
echo "::add-mask::$NEW_SECRET"
gh secret set OAUTH_CLIENT_SECRET --body "$NEW_SECRET" --repo my-org/my-app
env:
GH_TOKEN: ${{ secrets.GH_PAT }}Automating secret rotation
Recommended cadence:
- Once a month — typical production apps
- Once a week — apps that handle payments or sensitive data
- Immediately — whenever you suspect exposure
A GitHub Actions matrix pattern for rotating several apps at once:
strategy:
matrix:
app: [my-web, my-mobile-bff, my-admin]
steps:
- run: logi apps rotate-secret ${{ matrix.app }}Environment variable reference
| Variable | Default | Description |
|---|---|---|
LOGI_API_KEY | (none) | PAK. When set, the credentials file is ignored |
LOGI_API_URL | https://api.1pass.dev | Change for self-hosting |
LOGI_PORTAL_URL | https://start.1pass.dev | Change for self-hosting |
LOGI_CONFIG_PATH | ~/.config/logi/credentials.json | Move to a different path |
LOGI_OUTPUT | (TTY: human / otherwise: json) | Force json or human |
Exit codes
The CLI runs on Thor.exit_on_failure?. It returns 0 on success and 1 on failure. Granular error codes (separate auth / permission / network) are coming later.
PAK masking
In output such as whoami, a PAK shows only its 18-character prefix.