Agent skill
doppler-workflows
Manages credentials and publishing workflows via Doppler. Use when publishing Python packages to PyPI, rotating AWS credentials, or managing secrets with Doppler.
Stars
163
Forks
31
Install this agent skill to your Project
npx add-skill https://github.com/majiayu000/claude-skill-registry/tree/main/skills/devops/doppler-workflows-terrylica-cc-skills
SKILL.md
Doppler Credential Workflows
Quick Reference
When to use this skill:
- Publishing Python packages to PyPI
- Rotating AWS access keys
- Managing credentials across multiple services
- Troubleshooting authentication failures (403, InvalidClientTokenId)
- Setting up Doppler credential injection patterns
- Multi-token/multi-account strategies
Core Pattern: Doppler CLI
Standard Usage:
bash
doppler run --project <project> --config <config> --command='<command>'
Why --command flag:
- Official Doppler pattern (auto-detects shell)
- Ensures variables expand AFTER Doppler injects them
- Without it: shell expands
$VARbefore Doppler runs → empty string
Quick Start Examples
PyPI Publishing
bash
doppler run --project claude-config --config dev \
--command='uv publish --token "$PYPI_TOKEN"'
AWS Operations
bash
doppler run --project aws-credentials --config dev \
--command='aws s3 ls --region $AWS_DEFAULT_REGION'
Best Practices
- Always use --command flag for credential injection
- Use project-scoped tokens (PyPI) for better security
- Rotate credentials regularly (90 days recommended)
- Document with Doppler notes:
doppler secrets notes set <SECRET> "<note>" - Use stdin for storing secrets:
echo -n 'secret' | doppler secrets set - Test injection before using:
echo ${#VAR}to verify length - Multi-token naming:
SERVICE_TOKEN_{ABBREV}for clarity
Reference Documentation
For detailed information, see:
- PyPI Publishing - Token setup, publishing, troubleshooting
- AWS Credentials - Rotation workflow, setup, troubleshooting
- Multi-Service Patterns - Multiple PyPI packages, multiple AWS accounts
- AWS Workflow - Complete AWS credential management guide
Bundled Specifications:
PYPI_REFERENCE.yaml- Complete PyPI specAWS_SPECIFICATION.yaml- AWS credential architecture
Using mise [env] for Local Development (Recommended)
For local development, mise [env] provides a simpler alternative to doppler run:
toml
# .mise.toml
[env]
# Fetch from Doppler with caching for performance
PYPI_TOKEN = "{{ cache(key='pypi_token', duration='1h', run='doppler secrets get PYPI_TOKEN --project claude-config --config prd --plain') }}"
# For GitHub multi-account setups
GH_TOKEN = "{{ read_file(path=env.HOME ~ '/.claude/.secrets/gh-token-accountname') | trim }}"
When to use mise [env]:
- Per-directory credential configuration
- Multi-account GitHub setups
- Credentials that persist across commands (not session-scoped)
When to use doppler run:
- CI/CD pipelines
- Single-command credential scope
- When you want credentials auto-cleared after command
See mise-configuration skill for complete patterns.
PyPI Publishing Policy
For PyPI publishing, see pypi-doppler skill for LOCAL-ONLY workspace policy.
Do NOT configure PyPI publishing in GitHub Actions or CI/CD pipelines.
Didn't find tool you were looking for?