Skip to content

Using logi in CI/CD

Source: en/cli/usage.md · Live: https://docs.1pass.dev/en/cli/usage LLM-sanitized: internal links absolutized, VitePress containers → admonitions, line numbers in the Jump-to Index reference this rendered file (1-indexed).

📍 Jump-to Index

  • L25-L36: ## Authentication: environment variable
  • L37-L68: ## GitHub Actions example
  • L69-L86: ## Automating secret rotation
  • L87-L96: ## Environment variable reference
  • L97-L100: ## Exit codes
  • L101-L104: ## PAK masking
  • L105-L109: ## Next

Using logi in CI/CD

Automate logi in GitHub Actions, GitLab CI, Jenkins, and more.

⚠️ Warning: Before the official CLI release The logi CLI is still getting ready for release. The examples on this page are written against a package manager and install script so you can use them as-is after the official release, but for now we recommend verifying behavior with a binary you build from source.

Authentication: environment variable

You can't run browser OAuth on a CI machine, so issue a PAK (Personal API Key) and provide it through an environment variable:

bash
export LOGI_API_KEY=lpa_pat_xxxxxxxxxxxxx
export LOGI_API_URL=https://api.1pass.dev
logi whoami   # → authenticates with the PAK automatically

Issue a PAK at start.1pass.dev/settings/api-keys.

GitHub Actions example

yaml
# .github/workflows/rotate-secret.yml
name: Rotate logi secret monthly
on:
  schedule:
    - cron: "0 0 1 * *"   # the 1st of every month at 00:00 UTC
  workflow_dispatch:

jobs:
  rotate:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Install logi CLI
        run: |
          # Currently distributed as a Ruby gem. A script installer is coming later.
          gem install logi-cli

      - name: Rotate
        env:
          LOGI_API_KEY: ${{ secrets.LOGI_API_KEY }}
        run: |
          # Extract client_secret from rotate-secret output (--json not yet supported)
          NEW_SECRET=$(logi apps rotate-secret ${{ vars.LOGI_APP_ID }} | awk '/client_secret:/ {print $2}')
          echo "::add-mask::$NEW_SECRET"
          gh secret set OAUTH_CLIENT_SECRET --body "$NEW_SECRET" --repo my-org/my-app
        env:
          GH_TOKEN: ${{ secrets.GH_PAT }}

Automating secret rotation

Recommended cadence:

  • Once a month — typical production apps
  • Once a week — apps that handle payments or sensitive data
  • Immediately — whenever you suspect exposure

A GitHub Actions matrix pattern for rotating several apps at once:

yaml
strategy:
  matrix:
    app: [my-web, my-mobile-bff, my-admin]
steps:
  - run: logi apps rotate-secret ${{ matrix.app }}

Environment variable reference

VariableDefaultDescription
LOGI_API_KEY(none)PAK. When set, the credentials file is ignored
LOGI_API_URLhttps://api.1pass.devChange for self-hosting
LOGI_PORTAL_URLhttps://start.1pass.devChange for self-hosting
LOGI_CONFIG_PATH~/.config/logi/credentials.jsonMove to a different path
LOGI_OUTPUT(TTY: human / otherwise: json)Force json or human

Exit codes

The CLI runs on Thor.exit_on_failure?. It returns 0 on success and 1 on failure. Granular error codes (separate auth / permission / network) are coming later.

PAK masking

In output such as whoami, a PAK shows only its 18-character prefix.

Next

최종 수정:

Identity가 제품의 신뢰를 만듭니다.