playbooks

home / skills / terrylica / cc-skills / doppler-workflows

doppler-workflows skill

/plugins/devops-tools/skills/doppler-workflows

This skill helps you securely manage PyPI publishing, AWS credentials, and Doppler secrets with automated injection and best-practice patterns.

npx playbooks add skill terrylica/cc-skills --skill doppler-workflows

Review the files below or copy the command above to add this skill to your agents.

Files (7)
SKILL.md
4.6 KB
---
name: doppler-workflows
description: Doppler credential and publishing workflows. TRIGGERS - PyPI publish, AWS credentials, Doppler secrets.
allowed-tools: Read, Bash
---

# Doppler Credential Workflows

## When to Use This Skill

Use this skill when:

- Publishing Python packages to PyPI
- Rotating AWS access keys
- Managing credentials across multiple services
- Troubleshooting authentication failures (403, InvalidClientTokenId)
- Setting up Doppler credential injection patterns
- Multi-token/multi-account strategies

## Quick Reference

## Core Pattern: Doppler CLI

**Standard Usage:**

```bash
doppler run --project <project> --config <config> --command='<command>'
```

**Why --command flag:**

- Official Doppler pattern (auto-detects shell)
- Ensures variables expand AFTER Doppler injects them
- Without it: shell expands `$VAR` before Doppler runs → empty string

---

## Quick Start Examples

### PyPI Publishing

```bash
doppler run --project claude-config --config dev \
  --command='uv publish --token "$PYPI_TOKEN"'
```

### AWS Operations

```bash
doppler run --project aws-credentials --config dev \
  --command='aws s3 ls --region $AWS_DEFAULT_REGION'
```

---

## Best Practices

1. Always use --command flag for credential injection
2. Use project-scoped tokens (PyPI) for better security
3. Rotate credentials regularly (90 days recommended)
4. Document with Doppler notes: `doppler secrets notes set <SECRET> "<note>"`
5. Use stdin for storing secrets: `echo -n 'secret' | doppler secrets set`
6. Test injection before using: `echo ${#VAR}` to verify length
7. Multi-token naming: `SERVICE_TOKEN_{ABBREV}` for clarity

---

## Reference Documentation

For detailed information, see:

- [PyPI Publishing](./references/pypi-publishing.md) - Token setup, publishing, troubleshooting
- [AWS Credentials](./references/aws-credentials.md) - Rotation workflow, setup, troubleshooting
- [Multi-Service Patterns](./references/multi-service-patterns.md) - Multiple PyPI packages, multiple AWS accounts
- [AWS Workflow](./AWS_WORKFLOW.md) - Complete AWS credential management guide

**Bundled Specifications:**

- `PYPI_REFERENCE.yaml` - Complete PyPI spec
- `AWS_SPECIFICATION.yaml` - AWS credential architecture

---

## Using mise [env] for Local Development (Recommended)

For local development, mise `[env]` provides a simpler alternative to `doppler run`:

```toml
# .mise.toml
[env]
# Fetch from Doppler with caching for performance
PYPI_TOKEN = "{{ cache(key='pypi_token', duration='1h', run='doppler secrets get PYPI_TOKEN --project claude-config --config prd --plain') }}"

# For GitHub multi-account setups
GH_TOKEN = "{{ read_file(path=env.HOME ~ '/.claude/.secrets/gh-token-accountname') | trim }}"
```

**When to use mise [env]:**

- Per-directory credential configuration
- Multi-account GitHub setups
- Credentials that persist across commands (not session-scoped)

**When to use doppler run:**

- CI/CD pipelines
- Single-command credential scope
- When you want credentials auto-cleared after command

See [`mise-configuration` skill](../../../itp/skills/mise-configuration/SKILL.md) for complete patterns.

---

## PyPI Publishing Policy

<!-- ADR: 2025-12-10-clickhouse-skill-documentation-gaps -->

For PyPI publishing, see [`pypi-doppler` skill](../../../itp/skills/pypi-doppler/SKILL.md) for **LOCAL-ONLY** workspace policy.

**Do NOT** configure PyPI publishing in GitHub Actions or CI/CD pipelines.

---

## Troubleshooting

| Issue                      | Cause                            | Solution                                              |
| -------------------------- | -------------------------------- | ----------------------------------------------------- |
| 403 on PyPI publish        | Token expired or wrong scope     | Regenerate project-scoped token, update in Doppler    |
| InvalidClientTokenId (AWS) | Access key rotated or deleted    | Run AWS key rotation workflow, update Doppler         |
| Variable expands empty     | Using `$VAR` without --command   | Always use `--command='...$VAR...'` pattern           |
| Doppler CLI not found      | Not installed                    | `brew install dopplerhq/cli/doppler`                  |
| Wrong config selected      | Ambiguous project/config         | Specify both `--project` and `--config` explicitly    |
| mise [env] not loading     | Not in directory with .mise.toml | `cd` to project directory or check mise.toml path     |
| Secret retrieval slow      | No caching configured            | Use mise `cache()` with duration for repeated access  |
| Token length mismatch      | Copied with extra whitespace     | Trim token: `echo -n 'secret' \| doppler secrets set` |

Overview

This skill provides credential and publishing workflows that use Doppler to inject and manage secrets for PyPI publishing, AWS operations, and multi-service credential patterns. It codifies safe CLI patterns, rotation guidance, and quick troubleshooting to avoid common authentication failures. The content is focused on practical commands, testing, and configuration options for CI and local development.

How this skill works

The skill inspects workflow patterns and recommends using doppler run --project <project> --config <config> --command='<command>' so secrets are injected before shell expansion. It documents concrete examples for publishing to PyPI and running AWS commands, plus alternatives like mise [env] for per-directory or persistent local credentials. Troubleshooting entries map common errors to focused fixes and rotation steps.

When to use it

  • Publishing Python packages to PyPI from local or scripted environments
  • Running AWS CLI commands or automations that require temporary credentials
  • Rotating or rotating-checking access keys for AWS and other services
  • Setting up credential injection patterns in CI/CD or local development
  • Managing multi-token or multi-account credential strategies

Best practices

  • Always use --command flag with doppler run so variables expand after injection
  • Prefer project-scoped tokens (for PyPI) and short-lived credentials where possible
  • Rotate credentials regularly (recommend ~90 days) and automate updates in Doppler
  • Validate injection before use (e.g., echo ${#VAR} to test length)
  • Store secrets via stdin and use Doppler notes for audit/context (doppler secrets notes set)

Example use cases

  • Publish a package to PyPI: doppler run --project claude-config --config dev --command='uv publish --token "$PYPI_TOKEN"'
  • List S3 buckets with injected AWS creds: doppler run --project aws-credentials --config dev --command='aws s3 ls --region $AWS_DEFAULT_REGION'
  • Local dev with persistent per-directory creds: configure .mise.toml and use mise [env] to cache Doppler secrets
  • Rotate an AWS access key and update Doppler, then verify by running an aws sts get-caller-identity command via doppler run
  • Set up multi-account tokens using deterministic names like SERVICE_TOKEN_{ABBREV} and document intent with Doppler notes

FAQ

Why use --command instead of running doppler shell or exporting variables?

--command ensures Doppler injects secrets before any shell performs variable expansion, preventing empty values and accidental leakage in the environment.

When should I use mise [env] instead of doppler run?

Use mise [env] for per-directory, persistent credential configurations or multi-account GitHub setups. Use doppler run for CI, single-command scopes, or when you want credentials cleared after command execution.