Skip to content

feat: add pass (password-store) provider #51

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
domenkozar merged 1 commit into from
Dec 22, 2025
Merged

feat: add pass (password-store) provider #51

domenkozar merged 1 commit into from
Dec 22, 2025

Conversation

@i-am-logger
Copy link
Contributor

@i-am-logger i-am-logger commented Dec 20, 2025
edited
Loading

Add support for the Unix password manager pass (password-store) as requested in #12.

Features

  • Read/write support: Full provider implementation (not read-only)
  • Hierarchical storage: One GPG-encrypted file per secret at secretspec/{project}/{profile}/{key}
  • Consistent with other providers: Follows the same pattern as keyring, OnePassword, and LastPass
  • Migration support: Enables secretspec import dotenv://.env to migrate from plaintext to encrypted storage
  • Project/profile namespacing: Properly uses project and profile parameters for organization

Implementation

  • Storage path: ~/.password-store/secretspec/{project}/{profile}/{key}.gpg
  • Uses pass show secretspec/{project}/{profile}/{key} for reading
  • Uses pass insert -e -f secretspec/{project}/{profile}/{key} for writing
  • Empty PassConfig (no configuration needed, like KeyringConfig)
  • Includes comprehensive tests following existing patterns
  • Documentation matches standard provider format

Usage Example

# Initialize pass (first time)
$ pass init <gpg-key-id>

# Import secrets from .env (uses "default" profile)
$ secretspec import dotenv://.env --provider pass --project myapp

# Secrets stored at:
# ~/.password-store/secretspec/myapp/default/DATABASE_URL.gpg
# ~/.password-store/secretspec/myapp/default/API_KEY.gpg

# Run with encrypted secrets
$ secretspec run --provider pass --project myapp -- npm start

Storage Structure

~/.password-store/
└── secretspec/
    └── {project}/
        └── {profile}/
            ├── SECRET_1.gpg
            ├── SECRET_2.gpg
            └── SECRET_3.gpg

Fixes #12

Copilot AI review requested due to automatic review settings December 20, 2025 10:05
Copilot AI reviewed Dec 20, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds support for the Unix password manager pass (password-store) as a new secret provider. The implementation follows the dotenv provider pattern, storing all secrets in a single GPG-encrypted entry using KEY=value format to minimize GPG decryption operations.

Key changes:

  • Full read/write provider implementation with KEY=value storage format
  • Integration tests and provider registration
  • Documentation for installation and usage

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 10 comments.

Show a summary per file
File Description
secretspec/src/provider/pass.rs New pass provider implementation with read/write operations using pass show and pass insert commands
secretspec/src/provider/mod.rs Module registration for the pass provider
secretspec/src/provider/tests.rs Integration tests for pass provider creation, URI parsing, and write capability verification
test-pass.toml Test configuration file (should be relocated to tests/fixtures/)
docs/src/content/docs/providers/pass.md User documentation covering installation, configuration, and usage examples

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@i-am-logger i-am-logger force-pushed the add-pass-provider branch 2 times, most recently from 8ee5b41 to 70d2709 Compare December 20, 2025 10:24
@i-am-logger i-am-logger requested a review from Copilot December 20, 2025 10:25
Copilot AI reviewed Dec 20, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

domenkozar
domenkozar reviewed Dec 20, 2025
View reviewed changes
@i-am-logger
feat: add pass (password-store) provider
d92f6a8 
Add provider for Unix password manager 'pass' with hierarchical storage.

- Stores secrets at: secretspec/{project}/{profile}/{key}
- One pass entry per secret (consistent with keyring/OnePassword/LastPass)
- Uses project and profile parameters for namespacing
- Supports both reading and writing secrets
- Requires pass CLI and GPG configuration
- Default password store: ~/.password-store
- Includes tests and documentation
- Example: pass://

Fixes cachix#12
@i-am-logger
Copy link
Contributor Author

i-am-logger commented Dec 20, 2025

@domenkozar made the change. personally i'm using pass with yubikey, which is why i originally wanted a single gpg file for all secrets (one yubikey touch to decrypt everything vs touching it for every secret). but i understand the consistency argument with other providers. let me know if there's a better way to handle the yubikey touch UX or if we should just keep it as-is for consistency

@domenkozar domenkozar merged commit 86c849b into cachix:main Dec 22, 2025
7 of 8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@domenkozar domenkozar Awaiting requested review from domenkozar

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support pass

2 participants

@i-am-logger @domenkozar