Secrets

qp supports first-class secrets so sensitive values can be referenced in tasks without hardcoding credentials in commands.

Secret Sources

Each secret is declared under top-level secrets with from: env or from: file.

From environment variables

secrets:
  openai_key:
    from: env
    env: OPENAI_API_KEY

From key-value files

secrets:
  db_password:
    from: file
    path: .qp-secrets
    key: DB_PASSWORD

path can be repo-relative or absolute.

.qp-secrets File Format

The file format is simple KEY=value lines:

# local secrets (do not commit)
DB_PASSWORD=super-long-password-value
API_TOKEN=ghp_verylongtokenvalue

Missing file paths are treated as empty value maps, so it is safe for local-only files to be absent in CI.

Using Secrets In Tasks

Secrets are interpolated with {{secret.<name>}} in both command strings and task env values.

tasks:
  migrate:
    desc: Run DB migrations
    cmd: ./scripts/migrate.sh --password "{{secret.db_password}}"
    env:
      DB_PASSWORD: "{{secret.db_password}}"
qp migrate

Redaction Behavior

qp redacts secret values from:

  • streamed stdout/stderr
  • event stream output (--events)
  • stored task result output (including cached result payloads)

Important detail: redaction is applied only to non-empty secrets of length >= 8 characters to reduce accidental over-redaction of common short substrings.

Security Notes

  1. Keep secret files out of git (.gitignore).
  2. Prefer from: env in CI systems.
  3. Prefer long, high-entropy secret values to maximize safe redaction.
  4. Avoid echoing full credential-bearing commands in scripts.

Worked Example: Local + CI

secrets:
  npm_token:
    from: env
    env: NPM_TOKEN
  docker_pass:
    from: file
    path: .qp-secrets
    key: DOCKER_PASS

tasks:
  publish-npm:
    desc: Publish package
    cmd: npm publish
    env:
      NODE_AUTH_TOKEN: "{{secret.npm_token}}"
    safety: external

  publish-image:
    desc: Push docker image
    cmd: echo "{{secret.docker_pass}}" | docker login -u "$DOCKER_USER" --password-stdin
    safety: external

Local run:

qp publish-image --allow-unsafe

CI run:

NPM_TOKEN="$NPM_TOKEN" qp publish-npm --allow-unsafe

Failure Modes To Expect

  • from: env with missing env: key: config load error.
  • from: file without path or key: config load error.
  • unknown from value: config load error.

In other words, source configuration is validated early, not at command runtime.

Next Step

To speed up repeat runs once tasks are stable, continue to Task Caching.