Commit 19a73f253c15

Vincent Demeester <vincent@sbr.pm>
2026-03-10 23:21:43
feat(scripts): migrate to pass-run for secret injection
Replaced inline passage show calls with pass-run in pir, cr, crf, crl, ge, and oco. All config values including GCP project and location are now resolved from passage at runtime. Added pass-run v0.1.0 as a flake input.
main
1 parent 7ea5116
Changed files (10)
pkgs
my
scripts
bin
cr
crf
crl
ge
oco
pir
default.nix
systems
default.nix
flake.lock
flake.nix
pkgs/my/scripts/bin/cr
@@ -4,7 +4,8 @@
 # This is a script version of the 'cr' alias for use with shpool and other tools
 
 export CLAUDE_CODE_USE_VERTEX=1
-export CLOUD_ML_REGION=us-east5
-export ANTHROPIC_VERTEX_PROJECT_ID=itpc-gcp-pnd-pe-eng-claude
 
-exec claude "$@"
+exec pass-run -q \
+  -e CLOUD_ML_REGION=redhat/google/osp/location \
+  -e ANTHROPIC_VERTEX_PROJECT_ID=redhat/google/osp/project \
+  -- claude "$@"
pkgs/my/scripts/bin/crf
@@ -3,7 +3,8 @@
 # Usage: crf [args...]
 
 export CLAUDE_CODE_USE_VERTEX=1
-export CLOUD_ML_REGION=us-east5
-export ANTHROPIC_VERTEX_PROJECT_ID=itpc-gcp-pnd-pe-eng-claude
 
-exec claude --model claude-opus-4-5 "$@"
+exec pass-run -q \
+  -e CLOUD_ML_REGION=redhat/google/osp/location \
+  -e ANTHROPIC_VERTEX_PROJECT_ID=redhat/google/osp/project \
+  -- claude --model claude-opus-4-5 "$@"
pkgs/my/scripts/bin/crl
@@ -3,7 +3,8 @@
 # Usage: crl [args...]
 
 export CLAUDE_CODE_USE_VERTEX=1
-export CLOUD_ML_REGION=us-east5
-export ANTHROPIC_VERTEX_PROJECT_ID=itpc-gcp-pnd-pe-eng-claude
 
-exec claude --model claude-haiku-4-5 "$@"
+exec pass-run -q \
+  -e CLOUD_ML_REGION=redhat/google/osp/location \
+  -e ANTHROPIC_VERTEX_PROJECT_ID=redhat/google/osp/project \
+  -- claude --model claude-haiku-4-5 "$@"
pkgs/my/scripts/bin/ge
@@ -2,7 +2,6 @@
 # Gemini with API key from passage
 # Usage: ge [args...]
 
-GEMINI_API_KEY=$(passage show redhat/google/osp/vdeemest-api-key)
-export GEMINI_API_KEY
-
-exec gemini "$@"
+exec pass-run -q \
+  -e GEMINI_API_KEY=redhat/google/osp/vdeemest-api-key \
+  -- gemini "$@"
pkgs/my/scripts/bin/oco
@@ -2,7 +2,7 @@
 # OpenCode with Vertex AI environment
 # Usage: oco [args...]
 
-export GOOGLE_CLOUD_PROJECT=itpc-gcp-core-pe-eng-claude
-export VERTEX_LOCATION=global
-
-exec opencode "$@"
+exec pass-run -q \
+  -e GOOGLE_CLOUD_PROJECT=redhat/google/osp/core-project \
+  -e VERTEX_LOCATION=redhat/google/osp/core-location \
+  -- opencode "$@"
pkgs/my/scripts/bin/pir
@@ -3,11 +3,9 @@
 # Usage: pir [args...]
 # Uses google-vertex-claude provider with claude-sonnet-4-6
 
-export GOOGLE_CLOUD_PROJECT=itpc-gcp-pnd-pe-eng-claude
-export GOOGLE_CLOUD_LOCATION=us-east5
-GEMINI_API_KEY=$(passage show redhat/google/osp/vdeemest-api-key)
-export GEMINI_API_KEY
-SYNTHETIC_API_KEY=$(passage show ai/synthetic.new/api_key)
-export SYNTHETIC_API_KEY
-
-exec pi --provider google-vertex-claude --model claude-sonnet-4-6 "$@"
+exec pass-run -q \
+  -e GOOGLE_CLOUD_PROJECT=redhat/google/osp/project \
+  -e GOOGLE_CLOUD_LOCATION=redhat/google/osp/location \
+  -e GEMINI_API_KEY=redhat/google/osp/vdeemest-api-key \
+  -e SYNTHETIC_API_KEY=ai/synthetic.new/api_key \
+  -- pi --provider google-vertex-claude --model claude-sonnet-4-6 "$@"
pkgs/my/scripts/default.nix
@@ -5,7 +5,7 @@
 
 stdenv.mkDerivation {
   pname = "vde-scripts";
-  version = "0.11";
+  version = "0.12";
 
   src = ./.;
systems/default.nix
@@ -45,6 +45,7 @@
       (_: prev: {
         inherit (inputs.buildkit-tekton.packages.${prev.stdenv.hostPlatform.system}) tkn-local;
         inherit (inputs.dagger.packages.${prev.stdenv.hostPlatform.system}) dagger;
+        inherit (inputs.pass-run.packages.${prev.stdenv.hostPlatform.system}) pass-run;
       })
     ];
     config = {
flake.lock
@@ -884,6 +884,27 @@
         "type": "github"
       }
     },
+    "pass-run": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1773177907,
+        "narHash": "sha256-Q5pheGp24wPYNHNVlUlXcFTRPxuQo823Oi/IUNDX4tU=",
+        "owner": "vdemeester",
+        "repo": "pass-run",
+        "rev": "109d1f61c6b4451071a237a043dc0860649f9f10",
+        "type": "github"
+      },
+      "original": {
+        "owner": "vdemeester",
+        "ref": "v0.1.0",
+        "repo": "pass-run",
+        "type": "github"
+      }
+    },
     "pre-commit": {
       "inputs": {
         "flake-compat": "flake-compat_2",
@@ -1009,6 +1030,7 @@
         "nixpkgs-25_11": "nixpkgs-25_11",
         "nixpkgs-master": "nixpkgs-master",
         "nixpkgs-wip-consolidated": "nixpkgs-wip-consolidated",
+        "pass-run": "pass-run",
         "pre-commit-hooks": "pre-commit-hooks",
         "radian": "radian",
         "system-manager": "system-manager",
flake.nix
@@ -305,6 +305,10 @@
       inputs.nixpkgs.follows = "nixpkgs";
       inputs.flake-parts.follows = "flake-parts";
     };
+    pass-run = {
+      url = "github:vdemeester/pass-run/v0.1.0";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     radian = {
       url = "github:vdemeester/radian";
       inputs.nixpkgs.follows = "nixpkgs";