How to conciliate secrets and ci workflow?

[thomasnemer]

Hi 👋

Recently I was playing mise secrets and with the experimental generate github-action.

I find both features very useful, and each one took apart is very easy and straight forward to use.

However I didn't find any way to conciliate both, as soon as I am using secrets locally, my workflows can't run anymore because the secrets can't be deciphered (which is expected since the private key is present on my workstation only).

This leads me to a first generic question : I assume it is ok to commit and push sops ciphered files on my repo, provided we have a way to securely share the private key within the team, this allows easy management of secrets without requiring more complex secret management infrastructure. Am I right to consider this is ok? (we're talking about a bunch of api keys here, not very sensitive stuff, but still they're secrets)

Using mise tasks within my workflows is really great, it allows to easily have a single implementation for my commit hooks e.g formatters and linters, my local tasks e.g. unit tests, and my CI which will run formatters, linters and tests.

I use secrets locally only to run my dev server, this is a task that isn't used within my CI, so I don't need secrets in my CI and I was looking for a way to not use mise secrets when running the workflows, I couldn't find any doc or examples regarding this, is this possible at all right now?

To go a little further, let's assume I would need secrets in my CI. I would expect those values would be present within github's secret vault and provided as env vars in my workflows, not provided by the sops file present on my repo, that would mean the env vars would be populated before mise sets those environments variables. Is there a way to prevent mise from trying to to populate the envs thare are already set?