This article explains how environment variables fit into a Vibgrate workflow, with an emphasis on supplying secrets safely in automation. It is for CI maintainers and anyone scripting Vibgrate.
Overview
Environment variables are the standard way to feed secrets and machine-specific values into a command without committing them. In a Vibgrate workflow, the most common use is providing a DSN token to authenticated uploads in CI, where an interactive vg login is not available.
Supplying a DSN from the environment
Store your DSN as a secret in your CI provider, expose it as an environment variable, and pass it to the scan via the --dsn flag:
vg scan --push --dsn "$VIBGRATE_DSN"
This keeps the token out of source control and out of command history while still authenticating the upload to Vibgrate Cloud.
Good practices
- Inject secrets through your CI provider's secret store, never as plain text in the pipeline file.
- Avoid echoing secret variables into logs.
- Scope secrets to the specific jobs that push, so most jobs cannot read them.
Local vs. CI
On your own machine, prefer the browser flow with vg login, which stores a credential for you. Reserve environment-variable-based DSN authentication for headless pipelines.
Related
See the CI authentication guide, the dsn create command page, the config-precedence article for how environment values interact with other settings, and the auth troubleshooting guide.