ci: replace 1Password with protectjs for CI secrets

Migrate CI secrets management from 1Password CLI to @cipherstash/protect
(protectjs) using ZeroKMS for encryption/decryption.

Changes:
- Add scripts/ directory with TypeScript encrypt/decrypt tooling
- Replace 1Password template with encrypted secrets file
- Update all workflow files to use protectjs decryption
- Add node_modules to .gitignore

The new approach uses CS_VAULT_CLIENT_KEY and CS_VAULT_CLIENT_ACCESS_KEY
GitHub secrets for authentication with ZeroKMS.

Author: tobyhede

.github/secrets.env.encrypted

@@ -0,0 +1,170 @@
+{
+  "CS_CLIENT_ACCESS_KEY": {
+    "k": "ct",
+    "c": "mBbLSVoU8`Do{H^4JdEH-DQ=;S0?!jXuj1GO<~nS77f6pGpQlROf9T!OWofsjl^#8A)M`97s6*4d0;YqiP5Q}aMyTySjc4-4673@C8B(NM?d)d7XuPf8JI)0vuk!)IKt`S^%ik$#2^`^r9+Nxb_`1Qo*(n?oS^3v|KZyn5qEtOAqksWikYQ$VQh6}#1J%G{m*u9K=iaYPbgM7%ZC",
+    "ob": null,
+    "bf": null,
+    "hm": null,
+    "i": {
+      "t": "ci_secrets",
+      "c": "value"
+    },
+    "v": 2
+  },
+  "CS_CLIENT_ID": {
+    "k": "ct",
+    "c": "mBbLxa?ahrJW29+2tZu4UG$>FHmFEjiG510=YV<ZH5o@@I-JnG?;wSK_~l8m@bq$!_4U}2rXu}Z05wRbS!{&Gs!g$9G<a>qATlXu#AZ-+z)vGg7>@rO#&?Nyn#PyM+c#ggbfg(pF{O54Y;|SC5Hwu<&vtJ>^t3onC{{VkhX",
+    "ob": null,
+    "bf": null,
+    "hm": null,
+    "i": {
+      "t": "ci_secrets",
+      "c": "value"
+    },
+    "v": 2
+  },
+  "CS_CLIENT_KEY": {
+    "k": "ct",
+    "c": "mBbL8G4ax6h3T~Q?tDDf%8k~=0b-Ynl7J`f9<S}gEPQu%m@y2iRJq;o5C?v^cDKPsmHvE-(a9!FZ~HhScEwSUAYfYYu#;C|HfSra)}92@p#YZn*?2G}?R>4zJ0Z;L9{dMuI!X+A>=g&*voOs>;NFtYQ<31*#vAI^rYUd<p%(8aTLpW{wSJ0(yKO?p=$E-M_Job5{!X%iEcGZ}V@DO5y0YD;z(S2n1~SCN!mjvRwhTDCSsziHK-_LwTrwEK<ae%M<IdA?(of}{=<khZN^KqCIXX#eK?mkKF;+wlW_MjPGZ6*YZ%578;C8skTj^6#m10Om(Q+M^>(y>*0hkz{!b}eF^i`h<I#$<<Iv6p^j>bwxLEL_MYql(SEdej(3Y6`O$)10zct`!1(oaD2`A94cnf+8)Z+7SNee62O1DW2PGR<(>^3lWbgXMzq6XlbvZrg@l=cyD~(CNWUo((hawMLjb>x=PE#2{IEcyVS|$jr{D@^!2|R>_;<Vq|m<0N&4oQ%xWy=qIIiVQh6}#1J%G{m*u9K=iaYPbgM7%ZC",
+    "ob": null,
+    "bf": null,
+    "hm": null,
+    "i": {
+      "t": "ci_secrets",
+      "c": "value"
+    },
+    "v": 2
+  },
+  "CS_WORKSPACE_CRN": {
+    "k": "ct",
+    "c": "mBbM11wMFh#K#zPwdM~;ju3FfG{A%7YOibQop2IN#?B!h8eK84igixM;ReqD(co=^a(~lA7uWP8T@&Gd64qf-Bn>wluEZeSgL3m3dI-49kfKlVJ2oJ>=6Nj?K<Z&m#1E1h5jT~kc42IFWyBCPT>Z~>Z$R|4I8P{6Im?F",
+    "ob": null,
+    "bf": null,
+    "hm": null,
+    "i": {
+      "t": "ci_secrets",
+      "c": "value"
+    },
+    "v": 2
+  },
+  "CS_DEFAULT_KEYSET_ID": {
+    "k": "ct",
+    "c": "mBbJss<&W}*cPMX<|8MC6Jz1THhfz?pMTD^N5K+iXDom=eL~KfZiZvZ?BX~^Cf)U7IxtS494>ot;NV9~V5`T>A085uF9AWsAR|;F|L`fBbduc_c0%;e8FE}^9C+I-6&+JSH%G}TPNjBXY;|SC5Hwu<&vtJ>^t3onC{{VkhX",
+    "ob": null,
+    "bf": null,
+    "hm": null,
+    "i": {
+      "t": "ci_secrets",
+      "c": "value"
+    },
+    "v": 2
+  },
+  "CS_TENANT_KEYSET_ID_1": {
+    "k": "ct",
+    "c": "mBbLxyC6xC+{EW;;5A`|u`KPxHUzKScK`B&^Jy}8?+{AvGOt<>3Ysz%{Twa+L!gXjsy63HTwS%&1712T=;=KzS_v)L5cf62AYUC~xJMlYv<xX{ZN^r0<9;QYPkWMvl=QLTzHfEYTcvhkY;|SC5Hwu<&vtJ>^t3onC{{VkhX",
+    "ob": null,
+    "bf": null,
+    "hm": null,
+    "i": {
+      "t": "ci_secrets",
+      "c": "value"
+    },
+    "v": 2
+  },
+  "CS_TENANT_KEYSET_ID_2": {
+    "k": "ct",
+    "c": "mBbMJ`*UJyfuK2WYIx}JeqCO~Ha*-O?bCvj0H4BWR!I{IP+g&84Z`0c?^?NS3pgN;u~y8WK){H*3!ky3h!n?FzrMcGlAh+oAZuER+rp|(n*Dxg^gF{wpz@sto!>QMQm6+&?wJE6GNpE5Y;|SC5Hwu<&vtJ>^t3onC{{VkhX",
+    "ob": null,
+    "bf": null,
+    "hm": null,
+    "i": {
+      "t": "ci_secrets",
+      "c": "value"
+    },
+    "v": 2
+  },
+  "CS_TENANT_KEYSET_ID_3": {
+    "k": "ct",
+    "c": "mBbLNuQ68uYA@n#p0N1{dBu*zHdE`M%fbp1-_?W4`AEXO*zc-@=O9><vX;ge`1kF3_H-1Sa}nxWT?6ss2+SoEJs(zXt|KhOAn&FMfI7lmP}}X|TUDIMCU<N$U+mgk1RTf2auY!*P^ETZY;|SC5Hwu<&vtJ>^t3onC{{VkhX",
+    "ob": null,
+    "bf": null,
+    "hm": null,
+    "i": {
+      "t": "ci_secrets",
+      "c": "value"
+    },
+    "v": 2
+  },
+  "CS_TENANT_KEYSET_NAME_1": {
+    "k": "ct",
+    "c": "mBbJ+K&~zqj~hA_s_brbV0D|s7Xp~0205UCF^xN;Ns7e=m`RWayps}t#2`?P9j09-zvbqOuavY5bnQx4PA1>4T;p_tY()ytR_vvAVQh6}#1J%G{m*u9K=iaYPbgM7%ZC",
+    "ob": null,
+    "bf": null,
+    "hm": null,
+    "i": {
+      "t": "ci_secrets",
+      "c": "value"
+    },
+    "v": 2
+  },
+  "CS_TENANT_KEYSET_NAME_2": {
+    "k": "ct",
+    "c": "mBbL}WAbeTps@Mb2F2-O!$sZ17t=Cd3lu>!8?)(EBu0T<4=Esv8cRfl#2{-@)J9now;&lMqA$iiHUU)}y)=fkK>Ciy^P!vSvNxr6VQh6}#1J%G{m*u9K=iaYPbgM7%ZC",
+    "ob": null,
+    "bf": null,
+    "hm": null,
+    "i": {
+      "t": "ci_secrets",
+      "c": "value"
+    },
+    "v": 2
+  },
+  "CS_TENANT_KEYSET_NAME_3": {
+    "k": "ct",
+    "c": "mBbJwjyTKdTw8=TdyJ9#EDfl{7w{Kl<PpWPX_UW3j&Sc3RyQMFYJuSr#2`E~L?Tk=XN`She%njse&wgIpn7u#m7^<}|C5dP9GazeVQh6}#1J%G{m*u9K=iaYPbgM7%ZC",
+    "ob": null,
+    "bf": null,
+    "hm": null,
+    "i": {
+      "t": "ci_secrets",
+      "c": "value"
+    },
+    "v": 2
+  },
+  "DOCKER_HUB_USERNAME": {
+    "k": "ct",
+    "c": "mBbJx*gnX#oukxKVee&yAkZtsA>GGfJHd6wn21L&_@lHCm207NnPl&O{i{{7b!RG7K=s5RjVeiDiAPtDArSLa5ZE?t)<`)rh0?Hop1JJl`6(R?rFLO#b!Eg5G+h19c5guRv^Y;FRyoUu",
+    "ob": null,
+    "bf": null,
+    "hm": null,
+    "i": {
+      "t": "ci_secrets",
+      "c": "value"
+    },
+    "v": 2
+  },
+  "DOCKER_HUB_PASSWORD": {
+    "k": "ct",
+    "c": "mBbK*YbGjRbIEUJ;<LEUwmIp<I@ePaks(deqq%0Sf>l7IpaEQl3416=!<r_6Z}W;m#f;jB7XqPHYk|0|nB5PK(~V~iyGbRG>tEKyAXSugKRW6Htia|<mUj7BLgi3V^LwHGp_oxI<S7T2IHh)BY;|SC5Hwu<&vtJ>^t3onC{{VkhX",
+    "ob": null,
+    "bf": null,
+    "hm": null,
+    "i": {
+      "t": "ci_secrets",
+      "c": "value"
+    },
+    "v": 2
+  },
+  "MULTITUDES_ACCESS_TOKEN": {
+    "k": "ct",
+    "c": "mBbKHz&;-To())kJ?nL;PvuU<0e1LJPzQ$#7Ug-%n=uXD(aTAjP4{L_z#E(X;IhH9Q<Bom)9my&>C4Ym4b`KXe?Y)HqcJ>qx1<#@>U9Bta5E7qM~<xtb!3l$k1C(t$D>Hl4%fG<K?-2U_Jw9o2%6$)PEVsU<^1wCiFODx+jX@$#C3C4W$=2_=PGn==#0x>FNuIo^b_ng2^0#=te%aZNxV53-uVKMgDk<O@Q0j5RLnV*ZHG2}Vy{!aj+==H2MEOhPZv8PR`5-H4)`5uo^HS}LP&x{;?<hs1|7}(Ew*BE1s1H$j75|yFSp1kSfZN^RcCw+3%b1za}1iUBV?ew8UC1a+kTr&?HXitn?U1fTa+AdGdQ}BZsEww@dQRV?;SKnQn+#iAJ-4Oqku_z<i|Q1DvMV3yxY2#tM4=I7r|fl(z4naE24M&32=z*<^2;%GI86I9zO|*v>;~FQGNZ(=~w=mWqVKzEI57qi`6Q)&Rdk68I(64_I^sI#30&bs!?e8=@s6hiH|SuM<^&qZPXfHPmcrvuaUD*Be11*VQh6}#1J%G{m*u9K=iaYPbgM7%ZC",
+    "ob": null,
+    "bf": null,
+    "hm": null,
+    "i": {
+      "t": "ci_secrets",
+      "c": "value"
+    },
+    "v": 2
+  }
+}

.github/secrets.env.tpl

@@ -25,13 +25,21 @@ jobs:
       - uses: actions/checkout@v4
       - uses: ./.github/actions/setup-test
 
-      - name: Load secrets
-        uses: 1password/load-secrets-action@v3
+      - uses: actions/setup-node@v4
         with:
-          export-env: true
+          node-version: '20'
+          cache: 'npm'
+          cache-dependency-path: scripts/package-lock.json
+
+      - name: Install decrypt dependencies
+        working-directory: scripts
+        run: npm ci
+
+      - name: Decrypt secrets
         env:
-          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-          OP_ENV_FILE: .github/secrets.env.tpl
+          CS_CLIENT_KEY: ${{ secrets.CS_VAULT_CLIENT_KEY }}
+          CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_VAULT_CLIENT_ACCESS_KEY }}
+        run: cd scripts && npm run decrypt
 
       - run: |
           mise run postgres:up --extra-args "--detach --wait"
@@ -63,10 +71,4 @@ jobs:
           comment-on-alert: true
           summary-always: true
           auto-push: true
-          benchmark-data-dir-path: docs
-
-      - uses: ./.github/actions/send-slack-notification
-        with:
-          channel: engineering
-          webhook_url: ${{ env.SLACK_NOTIFICATION_WEBHOOK_URL }}
-
+          benchmark-data-dir-path: docs

.github/workflows/benchmark.yml

@@ -82,13 +82,21 @@ jobs:
 
       - uses: actions/checkout@v4
 
-      - name: Load secrets
-        uses: 1password/load-secrets-action@v3
+      - uses: actions/setup-node@v4
         with:
-          export-env: true
+          node-version: '20'
+          cache: 'npm'
+          cache-dependency-path: scripts/package-lock.json
+
+      - name: Install decrypt dependencies
+        working-directory: scripts
+        run: npm ci
+
+      - name: Decrypt secrets
         env:
-          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-          OP_ENV_FILE: .github/secrets.env.tpl
+          CS_CLIENT_KEY: ${{ secrets.CS_VAULT_CLIENT_KEY }}
+          CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_VAULT_CLIENT_ACCESS_KEY }}
+        run: cd scripts && npm run decrypt
 
       - uses: jdx/mise-action@v2
         with:

.github/workflows/release-aws-marketplace.yml

@@ -23,13 +23,21 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: Load secrets
-        uses: 1password/load-secrets-action@v3
+      - uses: actions/setup-node@v4
         with:
-          export-env: true
+          node-version: '20'
+          cache: 'npm'
+          cache-dependency-path: scripts/package-lock.json
+
+      - name: Install decrypt dependencies
+        working-directory: scripts
+        run: npm ci
+
+      - name: Decrypt secrets
         env:
-          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-          OP_ENV_FILE: .github/secrets.env.tpl
+          CS_CLIENT_KEY: ${{ secrets.CS_VAULT_CLIENT_KEY }}
+          CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_VAULT_CLIENT_ACCESS_KEY }}
+        run: cd scripts && npm run decrypt
 
       - name: Setup Rust cache
         uses: Swatinem/rust-cache@v2
@@ -103,13 +111,21 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: Load secrets
-        uses: 1password/load-secrets-action@v3
+      - uses: actions/setup-node@v4
         with:
-          export-env: true
+          node-version: '20'
+          cache: 'npm'
+          cache-dependency-path: scripts/package-lock.json
+
+      - name: Install decrypt dependencies
+        working-directory: scripts
+        run: npm ci
+
+      - name: Decrypt secrets
         env:
-          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-          OP_ENV_FILE: .github/secrets.env.tpl
+          CS_CLIENT_KEY: ${{ secrets.CS_VAULT_CLIENT_KEY }}
+          CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_VAULT_CLIENT_ACCESS_KEY }}
+        run: cd scripts && npm run decrypt
 
       - name: Download digests
         uses: actions/download-artifact@v4

.github/workflows/release.yml

@@ -19,13 +19,21 @@ jobs:
       - uses: actions/checkout@v4
       - uses: ./.github/actions/setup-test
 
-      - name: Load secrets
-        uses: 1password/load-secrets-action@v3
+      - uses: actions/setup-node@v4
         with:
-          export-env: true
+          node-version: '20'
+          cache: 'npm'
+          cache-dependency-path: scripts/package-lock.json
+
+      - name: Install decrypt dependencies
+        working-directory: scripts
+        run: npm ci
+
+      - name: Decrypt secrets
         env:
-          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-          OP_ENV_FILE: .github/secrets.env.tpl
+          CS_CLIENT_KEY: ${{ secrets.CS_VAULT_CLIENT_KEY }}
+          CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_VAULT_CLIENT_ACCESS_KEY }}
+        run: cd scripts && npm run decrypt
 
       - run: |
           mise run postgres:up --extra-args "--detach --wait"
@@ -38,8 +46,3 @@ jobs:
         run: |
           mise run --output prefix test
 
-      - uses: ./.github/actions/send-slack-notification
-        with:
-          channel: engineering
-          webhook_url: ${{ env.SLACK_NOTIFICATION_WEBHOOK_URL }}
-

.github/workflows/test.yml

@@ -18,6 +18,12 @@ rust-toolchain.toml
 # credentials for local dev
 .env.proxy.docker
 
+# CI secrets plaintext (never commit actual values)
+.github/secrets.env.plaintext
+
+# Node modules (scripts directory)
+scripts/node_modules/
+
 ## benchmark result data
 tests/benchmark/results/*.csv
 tests/benchmark/benchmark-*.png