Examples

info

All command names are just examples, you will most likely have your own variant.

Local Development

🍪 JavaScript (Vue, React, Angular, etc.)

Practically any web project contains package.json with scripts where various commands are described for building, running, and debugging locally. It looks something like this:

...
  "scripts": {
    "serve": "vite",
...

1. Navigate to the project directory cd ~/path/to/your/project.
2. Set up the configuration for the project tuna secrets setup.
3. Edit package.json and add the tuna secrets run wrapper, it should look something like this:

...
  "scripts": {
    "serve": "tuna secrets run --watch -- vite",
...

4. Run the application as usual yarn serve or npm run serve

---

🐹 Go (Golang)

Go projects are usually run through go run or make:

1. Navigate to the project directory cd ~/path/to/your/project.
2. Run tuna secrets setup.
3. Run the application with the wrapper:

tuna secrets run --watch -- go run ./cmd/server

Example Makefile:

.DEFAULT_GOAL := run
.PHONY: run
run: ### Run
    @tuna secrets run --watch -- go run ./cmd/server

🦀 Rust (Rocket, Actix, etc.)

Rust projects most often use cargo:

1. Navigate to the project directory cd ~/path/to/your/project.
2. Run tuna secrets setup.
3. Run the application with the wrapper:

tuna secrets run --watch -- cargo run

Example Makefile:

.DEFAULT_GOAL := run
.PHONY: run
run: ### Run
    @tuna secrets run --watch -- cargo run

---

🥠 Node.js server project (Express, Fastify, etc.)

Node.js backend also usually uses package.json, for example:

...
  "scripts": {
    "dev": "node server.js",
...

1. Navigate to the project directory cd ~/path/to/your/project.
2. Set up the configuration for the project tuna secrets setup.
3. Edit package.json, adding the wrapper:

...
  "scripts": {
    "dev": "tuna secrets run --watch -- node server.js",
...

4. Run the application yarn dev or npm run dev.

---

🐍 Python (Flask, Django, etc.)

Python projects are often run through python, manage.py, or Makefile.

1. Navigate to the project directory cd ~/path/to/your/project.
2. Set up the configuration for the project by adding the wrapper tuna secrets setup.
3. Wrap the run command:

tuna secrets run --watch -- python app.py

If you have Django:

tuna secrets run --watch -- python manage.py runserver

If you have a Makefile:

.DEFAULT_GOAL := run
.PHONY: run
run: ### Run
    @tuna secrets run --watch -- python manage.py runserver

4. Run the application with this command.

---

🐘 PHP (Laravel, Symfony, etc.)

Usually the built-in PHP web server is used:

php -S localhost:8000 -t public

1. Navigate to the project directory cd ~/path/to/your/project.
2. Set up the configuration for the project tuna secrets setup.
3. Run the server through the tuna secrets run wrapper:

tuna secrets run --watch -- php -S localhost:8000 -t public

If you have Laravel:

tuna secrets run --watch -- php artisan serve

Example Makefile:

.DEFAULT_GOAL := run
.PHONY: run
run: ### Run
    @tuna secrets run --watch -- php artisan serve

---

☕ Java/Kotlin (Spring Boot, Micronaut, etc.)

Such projects often use Gradle or Maven:

1. Navigate to the project directory cd ~/path/to/your/project.
2. Set up the configuration for the project tuna secrets setup.
3. Wrap the run command:

For Gradle:

tuna secrets run --watch -- ./gradlew bootRun

For Maven:

tuna secrets run --watch -- mvn spring-boot:run

Example Makefile:

.DEFAULT_GOAL := run
.PHONY: run
run: ### Run
    @tuna secrets run --watch -- mvn spring-boot:run

4. Run the application as usual.

---

🪟 C#/.NET (ASP.NET Core, etc.)

.NET projects are run through dotnet run:

1. Navigate to the project directory cd ~/path/to/your/project.
2. Run tuna secrets setup.
3. Run the application with the wrapper:

tuna secrets run --watch -- dotnet run

Example Makefile (on Linux/macOS):

.DEFAULT_GOAL := run
.PHONY: run
run: ### Run
    @tuna secrets run --watch -- dotnet run

---

CI/CD

🦊 Gitlab CI

Create service keys for the required configurations and save the key in Gitlab ci variables. Suppose you have a project myproj with an environment prod, create a service key and save it to the variable TUNA_API_KEY_MYPROJ_PROD in Gitlab variables. Below is an example of how it might look in a Job:

Environment variables

production:
  extends: [.base]
  environment:
    name: prod
  variables:
    TUNA_API_KEY: $TUNA_API_KEY_MYPROJ_PROD
    TUNA_SECRETS_PROJECT: $CI_PROJECT_NAME
    TUNA_SECRETS_CONFIG: $CI_ENVIRONMENT_NAME
    TUNA_SECRETS_FORMAT: env
    TUNA_SECRETS_NO_FILE: true
  before_script:
    - source <(tuna secrets download)
  script:
    - goreleaser release

Flags

production:
  extends: [.base]
  environment:
    name: prod
  before_script:
    - source <(tuna --api-key=${TUNA_API_KEY_MYPROJ_PROD} secrets download --project=${CI_PROJECT_NAME} --config=${CI_ENVIRONMENT_NAME} --format=env --no-file)
  script:
    - goreleaser release

Note that project and config we get directly from the environment, this is possible if the project name in Gitlab and Tuna Secrets match, and also environment.name in Gitlab Job corresponds to the configuration alias.

---

🐙 GitHub Actions

Create service keys for the required configurations and save the key in GitHub Secrets. Suppose you have a project myproj with an environment prod, create a service key and save it to the variable TUNA_API_KEY_MYPROJ_PROD in GitHub Secrets. Below is an example of how it might look in a Job:

Environment variables

name: Release

on:
  push:
    tags:
      - "v*"

jobs:
  production:
    runs-on: ubuntu-latest
    env:
      TUNA_API_KEY: ${{ secrets.TUNA_API_KEY_MYPROJ_PROD }}
      TUNA_SECRETS_PROJECT: ${{ github.event.repository.name }}
      TUNA_SECRETS_CONFIG: prod
      TUNA_SECRETS_FORMAT: env
      TUNA_SECRETS_NO_FILE: true
    steps:
      - uses: actions/checkout@v4
      - run: |
          source <(tuna secrets download)
          goreleaser release

Flags

name: Release

on:
  push:
    tags:
      - "v*"

jobs:
  production:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: |
          source <(tuna --api-key=${{ secrets.TUNA_API_KEY_MYPROJ_PROD }} secrets download --project=${{ github.event.repository.name }} --config=prod --format=env --no-file)
          goreleaser release

Note that project = github.event.repository.name we get directly from the environment, this is possible if the project name in GitHub and Tuna Secrets match, config is set explicitly.

---

🧵 Bitbucket Pipelines

Create service keys for the required configurations and save the key in Bitbucket Pipelines variables. Suppose you have a project myproj with an environment prod, create a service key and save it to the variable TUNA_API_KEY_MYPROJ_PROD in Bitbucket Pipelines variables. Below is an example of how it might look in a Job:

Environment variables

pipelines:
  tags:
    "v*":
      - step:
          name: Production Build
          deployment: prod
          script:
            - export TUNA_API_KEY=$TUNA_API_KEY_MYPROJ_PROD
            - export TUNA_SECRETS_PROJECT=$BITBUCKET_REPO_SLUG
            - export TUNA_SECRETS_CONFIG=prod
            - export TUNA_SECRETS_FORMAT=env
            - export TUNA_SECRETS_NO_FILE=true
            - source <(tuna secrets download)
            - goreleaser release

Flags

pipelines:
  tags:
    "v*":
      - step:
          name: Release
          deployment: prod
          script:
            - source <(tuna --api-key=$TUNA_API_KEY_MYPROJ_PROD secrets download --project=$BITBUCKET_REPO_SLUG --config=prod) --format=env --no-file)
            - goreleaser release

Note that project = $BITBUCKET_REPO_SLUG we get directly from the environment, this is possible if the project name in BITBUCKET_REPO_SLUG and Tuna Secrets match, config is set explicitly.