Marketplace

doppler-workflows

Manages credentials and publishing workflows via Doppler. Use when publishing Python packages to PyPI, rotating AWS credentials, or managing secrets with Doppler.

allowed_tools: Read, Bash

$ 安裝

git clone https://github.com/terrylica/cc-skills /tmp/cc-skills && cp -r /tmp/cc-skills/plugins/devops-tools/skills/doppler-workflows ~/.claude/skills/cc-skills

// tip: Run this command in your terminal to install the skill

SKILL.md

View on GitHub →

name: doppler-workflows description: Manages credentials and publishing workflows via Doppler. Use when publishing Python packages to PyPI, rotating AWS credentials, or managing secrets with Doppler. allowed-tools: Read, Bash

Doppler Credential Workflows

Quick Reference

When to use this skill:

Publishing Python packages to PyPI
Rotating AWS access keys
Managing credentials across multiple services
Troubleshooting authentication failures (403, InvalidClientTokenId)
Setting up Doppler credential injection patterns
Multi-token/multi-account strategies

Core Pattern: Doppler CLI

Standard Usage:

doppler run --project <project> --config <config> --command='<command>'

Why --command flag:

Official Doppler pattern (auto-detects shell)
Ensures variables expand AFTER Doppler injects them
Without it: shell expands $VAR before Doppler runs → empty string

Quick Start Examples

PyPI Publishing

doppler run --project claude-config --config dev \
  --command='uv publish --token "$PYPI_TOKEN"'

AWS Operations

doppler run --project aws-credentials --config dev \
  --command='aws s3 ls --region $AWS_DEFAULT_REGION'

Best Practices

Always use --command flag for credential injection
Use project-scoped tokens (PyPI) for better security
Rotate credentials regularly (90 days recommended)
Document with Doppler notes: doppler secrets notes set <SECRET> "<note>"
Use stdin for storing secrets: echo -n 'secret' | doppler secrets set
Test injection before using: echo ${#VAR} to verify length
Multi-token naming: SERVICE_TOKEN_{ABBREV} for clarity

Reference Documentation

For detailed information, see:

PyPI Publishing - Token setup, publishing, troubleshooting
AWS Credentials - Rotation workflow, setup, troubleshooting
Multi-Service Patterns - Multiple PyPI packages, multiple AWS accounts
AWS Workflow - Complete AWS credential management guide

Bundled Specifications:

PYPI_REFERENCE.yaml - Complete PyPI spec
AWS_SPECIFICATION.yaml - AWS credential architecture

Using mise [env] for Local Development (Recommended)

For local development, mise [env] provides a simpler alternative to doppler run:

# .mise.toml
[env]
# Fetch from Doppler with caching for performance
PYPI_TOKEN = "{{ cache(key='pypi_token', duration='1h', run='doppler secrets get PYPI_TOKEN --project claude-config --config prd --plain') }}"

# For GitHub multi-account setups
GH_TOKEN = "{{ read_file(path=env.HOME ~ '/.claude/.secrets/gh-token-accountname') | trim }}"

When to use mise [env]:

Per-directory credential configuration
Multi-account GitHub setups
Credentials that persist across commands (not session-scoped)

When to use doppler run:

CI/CD pipelines
Single-command credential scope
When you want credentials auto-cleared after command

See mise-configuration skill for complete patterns.

PyPI Publishing Policy

For PyPI publishing, see pypi-doppler skill for LOCAL-ONLY workspace policy.

Do NOT configure PyPI publishing in GitHub Actions or CI/CD pipelines.