Unlock from a CI pipeline, safely
A CI token is a short-lived bearer string (prefixed sct_…) that authenticates only your build runners — never your humans. They're scoped, time-boxed, and revocable from the dashboard the moment a build server is compromised.
sealrepo unlock --ci command consuming the token) ships in sealrepo 1.5. The YAML example below is provided for review; running it against [email protected] will fall back to the regular user-token unlock path.Create a token on the dashboard
Project page → CI tokens tab → New token.
sealrepo.dev/app/projects/acme-billing/ciCreate CI token
A bearer token for one specific pipeline.
Labelgithub-actions-prodExpires in30 daysScopeunlockreadCreate tokenSave the token NOWThe full token is shown once. We only store a hash — if you lose it, you have to revoke and create a new one. Paste it straight into your secret manager (GitHub → Settings → Secrets, GitLab → CI/CD → Variables, etc.).Use it from a build pipeline (1.5 preview)
In sealrepo 1.5 the token will go in the
SEALREPO_TOKENenvironment variable. The CLI will pick it up automatically — nosealrepo loginrequired, no interactive passphrase prompt either.The pipeline integration below is the planned shape for 1.5 and is shown here so you can wire up secret management ahead of time. Against [email protected],
sealrepo unlock --cicurrently logs a deprecation notice and falls through to the regular login flow.Show planned GitHub Actions example (1.5 preview)
GitHub Actions
.github/workflows/build.yml# Minimal workflow that builds your sealed reponame: buildon: [push]jobs:build:runs-on: ubuntu-lateststeps:- uses: actions/checkout@v4- run: npm install -g sealrepo- run: sealrepo unlock --cienv:SEALREPO_TOKEN: ${{ secrets.SEALREPO_TOKEN }}SEALREPO_PASSPHRASE: ${{ secrets.SEALREPO_PASSPHRASE }}- run: npm ci && npm run buildWhat the 1.5 build log will show
GitHub Actions runner$sealrepo unlock --ciAuthenticating with CI token (sct_4f9…) ⠋✓token valid · project acme-billing · scope unlock · expires in 27ddecrypting (137) vendor/_01/_8a3f9c1e2d4b ⠋✓unlocked 137 files in 412ms$npm ci && npm run build...GitLab CI, CircleCI, Buildkite, Jenkins…Same pattern. Anything that sets environment variables works.SEALREPO_TOKEN+ the passphrase (also from a secret) andsealrepo unlock --ci.Watch when it was last used, revoke when it's not yours anymore
The CI tokens tab shows every token, when it was created, when it expires, and the timestamp of its last use. If you see a token that shouldn't be used anymore — click Revoke:
sealrepo.dev/app/projects/acme-billing/ciActive CI tokensgithub-actions-produnlocklast used 3 min agoexpires in 27 daysstaging-buildsreadlast used 2 days agoexpires in 12 daysRevocation is instant. The next CI build that runs gets a 401 and fails loudly:
Post-revoke CI build$sealrepo unlock --ci✗CI token sct_4f9… was revoked.✗Generate a new one at sealrepo.dev/app/projects/acme-billing/ciExit code: 1Picking the right scope
readLists files in the vault and downloads ciphertext only.When to use: Auditing, manifest checks, dependency scans that don't need source.unlockEverything read can do, plus decrypts files with the passphrase.When to use: Real builds that compile or test your code.