use doppler

Author: eluce2

.github/workflows/continuous-release.yml

@@ -45,6 +45,9 @@ jobs:
   test:
     runs-on: ubuntu-latest
     needs: [lint, typecheck]
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -58,18 +61,23 @@ jobs:
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
 
-      - name: Install 1Password CLI
-        uses: 1password/install-cli-action@v1
+      - name: Install Doppler CLI
+        uses: dopplerhq/cli-action@v3
+
+      - name: Get OIDC token
+        run: |
+          TOKEN=$(curl -s -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+            "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=https://github.com/$GITHUB_REPOSITORY_OWNER")
+          echo "OIDC_TOKEN=$(echo $TOKEN | jq -r '.value')" >> $GITHUB_ENV
+
+      - name: Authenticate with Doppler
+        run: doppler oidc login --scope=. --identity=${{ vars.DOPPLER_SERVICE_IDENTITY_ID }} --token=$OIDC_TOKEN
 
       - name: Run Unit Tests
-        run: op run --env-file=op.env -- pnpm test
-        env:
-          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+        run: pnpm test
 
       - name: Run fmodata E2E Tests
-        run: op run --env-file=op.env -- pnpm --filter @proofkit/fmodata test:e2e:ci
-        env:
-          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+        run: pnpm --filter @proofkit/fmodata test:e2e
 
   build:
     runs-on: ubuntu-latest

.github/workflows/release.yml

@@ -44,18 +44,23 @@ jobs:
       - name: Type Check
         run: pnpm typecheck
 
-      - name: Install 1Password CLI
-        uses: 1password/install-cli-action@v1
+      - name: Install Doppler CLI
+        uses: dopplerhq/cli-action@v3
+
+      - name: Get OIDC token
+        run: |
+          TOKEN=$(curl -s -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+            "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=https://github.com/$GITHUB_REPOSITORY_OWNER")
+          echo "OIDC_TOKEN=$(echo $TOKEN | jq -r '.value')" >> $GITHUB_ENV
+
+      - name: Authenticate with Doppler
+        run: doppler oidc login --scope=. --identity=${{ vars.DOPPLER_SERVICE_IDENTITY_ID }} --token=$OIDC_TOKEN
 
       - name: Run Tests
-        run: op run --env-file=op.env -- pnpm test
-        env:
-          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+        run: pnpm test
 
       - name: Run fmodata E2E Tests
-        run: op run --env-file=op.env -- pnpm --filter @proofkit/fmodata test:e2e:ci
-        env:
-          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+        run: pnpm --filter @proofkit/fmodata test:e2e
 
   release:
     name: Release

CONTRIBUTING.md

@@ -0,0 +1,72 @@
+# Contributing to ProofKit
+
+## Getting Started
+
+### Prerequisites
+
+- Node.js >= 18
+- pnpm (managed via corepack)
+- [Doppler CLI](https://docs.doppler.com/docs/install-cli) for secrets management
+
+### Setup
+
+1. Clone the repository and install dependencies:
+
+```bash
+git clone https://github.com/proofgeist/proofkit.git
+cd proofkit
+corepack enable
+pnpm install
+```
+
+2. Install and configure Doppler:
+
+```bash
+# Install Doppler CLI
+brew install dopplerhq/cli/doppler  # macOS
+# or: curl -Ls https://cli.doppler.com/install.sh | sh  # Linux
+
+# Login to Doppler
+doppler login
+
+# Setup project (select proofkit project, dev config)
+doppler setup
+```
+
+### Running Tests
+
+Test scripts automatically use `doppler run` to inject secrets:
+
+```bash
+# Run all tests
+pnpm test
+
+# Run specific package tests
+pnpm --filter @proofkit/fmodata test
+pnpm --filter @proofkit/fmodata test:e2e
+```
+
+### Building
+
+```bash
+pnpm build
+```
+
+### Linting and Formatting
+
+```bash
+pnpm lint
+pnpm format
+```
+
+## Development Workflow
+
+1. Create a new branch for your feature or fix
+2. Make your changes
+3. Run tests with `pnpm test:local`
+4. Run `pnpm lint` to check for issues
+5. Submit a pull request
+
+## Code Style
+
+This project uses [Ultracite](https://github.com/proofgeist/ultracite) for linting and formatting. Run `pnpm dlx ultracite fix` to auto-fix issues before committing.

doppler.yaml

@@ -0,0 +1,3 @@
+setup:
+  project: proofkit
+  config: dev

op.env

@@ -12,7 +12,7 @@
     "sherif": "pnpm dlx sherif@latest",
     "sherif:fix": "pnpm sherif --fix",
     "release": "turbo run build --filter={./packages/*} && changeset publish",
-    "test": "vitest",
+    "test": "doppler run -- vitest",
     "knip": "knip",
     "prepare": "husky"
   },

package.json

@@ -6,7 +6,7 @@
   "main": "dist/esm/index.js",
   "scripts": {
     "dev": "pnpm build:watch",
-    "test": "vitest run",
+    "test": "doppler run -- vitest run",
     "typecheck": "tsc --noEmit",
     "build": "vite build && publint --strict",
     "build:watch": "vite build --watch",

packages/better-auth/package.json

@@ -1,13 +1,7 @@
 import { defineConfig } from "vitest/config";
-// import dotenv from "dotenv";
-// import path from "path";
-
-// // Load .env.local file explicitly
-// dotenv.config({ path: path.resolve(__dirname, ".env.local") });
 
 export default defineConfig({
   test: {
     testTimeout: 15_000, // 15 seconds, since we're making a network call to FM
-    setupFiles: ["./tests/setupEnv.ts"],
   },
 });

packages/better-auth/tests/setupEnv.ts

@@ -51,7 +51,7 @@
     "pub:beta": "NODE_ENV=production pnpm build && npm publish --tag beta --access public",
     "pub:next": "NODE_ENV=production pnpm build && npm publish --tag next --access public",
     "pub:release": "NODE_ENV=production pnpm build && npm publish --access public",
-    "test": "vitest run"
+    "test": "doppler run -- vitest run"
   },
   "dependencies": {
     "@better-fetch/fetch": "1.1.17",