dugout 0.1.10

Git-native secrets manager for development teams, written in Rust
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124

# Deployment Guide

dugout works in CI/CD and production with zero cloud dependencies.

## Quick Start

1. Generate a CI identity:

```bash
dugout setup --output ci.key
```

2. Admit it to your project:

```bash
dugout team add ci "$(dugout whoami)"
```

3. Store the private key as a CI secret (e.g., `DUGOUT_IDENTITY` in GitHub Actions).

4. In CI, decrypt and run:

```yaml
- env:
    DUGOUT_IDENTITY: ${{ secrets.DUGOUT_IDENTITY }}
  run: dugout run -- ./deploy.sh
```

## Identity Resolution

dugout checks for identities in this order:

| Priority | Source | Use case |
|---|---|---|
| 1 | `DUGOUT_IDENTITY` env var | CI/CD — inline age key |
| 2 | `DUGOUT_IDENTITY_FILE` env var | Servers — path to key file |
| 3 | `~/.dugout/keys/<project>/identity.key` | Developer — project-local |
| 4 | `~/.dugout/identity` | Developer — global |

The first valid identity that is a recipient in the vault wins. No flags needed.

## CI/CD Examples

### GitHub Actions

```yaml
name: Deploy
on:
  push:
    branches: [main]
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install dugout
        run: curl -LsSf https://raw.githubusercontent.com/usemantle/dugout/main/scripts/install.sh | sh

      - name: Deploy
        env:
          DUGOUT_IDENTITY: ${{ secrets.DUGOUT_IDENTITY }}
        run: dugout run -- ./deploy.sh
```

### GitLab CI

```yaml
deploy:
  script:
    - curl -LsSf https://raw.githubusercontent.com/usemantle/dugout/main/scripts/install.sh | sh
    - dugout run -- ./deploy.sh
  variables:
    DUGOUT_IDENTITY: $DUGOUT_IDENTITY
```

### Docker

```dockerfile
FROM debian:bookworm-slim
RUN curl -LsSf https://raw.githubusercontent.com/usemantle/dugout/main/scripts/install.sh | sh
COPY . /app
WORKDIR /app
CMD ["dugout", "run", "--", "./start.sh"]
```

```bash
docker run -e DUGOUT_IDENTITY="$KEY" myapp
```

### Kubernetes

```yaml
apiVersion: v1
kind: Secret
metadata:
  name: dugout-identity
type: Opaque
stringData:
  key: AGE-SECRET-KEY-1...
---
apiVersion: apps/v1
kind: Deployment
spec:
  template:
    spec:
      containers:
        - name: app
          env:
            - name: DUGOUT_IDENTITY
              valueFrom:
                secretKeyRef:
                  name: dugout-identity
                  key: key
          command: ["dugout", "run", "--", "./start.sh"]
```

## Security

- **Never bake `DUGOUT_IDENTITY` into a Docker image.** Inject at runtime.
- Use your CI provider's secret storage for the key.
- The identity is a single age private key (~200 bytes).
- Rotate by generating a new identity, admitting it, and removing the old one.
- After removing a team member, run `dugout secrets rotate` to re-encrypt all secrets.