Implement Rust CLI for GitHub secrets management with audit logging

[Copilot]

Builds a CLI tool to manage GitHub repository secrets/environments for an organization, with audit logging and command execution using environment variables.

Implementation

Core modules:

• github/ - REST API client for secrets/environments CRUD, libsodium encryption for secret values
• audit/ - Event logging to external URL with JSON payload (timestamp, action, repo, env, user)
• config/ - TOML-based configuration at ~/.config/with-env/config.toml
• commands/ - 7 CLI commands: init, list-envs, list-secrets, get-secret, set-secret, delete-secret, run

Key design decisions:

• Local .env files store secret values (GitHub API doesn't return values), validated against GitHub secrets list
• Graceful degradation when GitHub API unavailable - continues with local env vars only
• Async with tokio, error handling with anyhow
• Binary name: with-env, supports shorthand with-env <cmd> (uses "default" environment)

Usage

# Setup
with-env init --org tilli-pro --audit-url https://audit.example.com

# Manage secrets
with-env list-secrets production
with-env set-secret production API_KEY "value"

# Run commands with env vars
with-env run production pnpm start
with-env pnpm start  # shorthand, uses "default" env

# Local env file: ~/.config/with-env/envs/production.env
DATABASE_URL=postgresql://localhost/db
API_KEY=secret123

Dependencies

• reqwest - GitHub API client
• sodiumoxide 0.2.7 - Secret encryption (sealed boxes)
• clap - CLI parsing
• git2 - Repository detection from git remote

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/tilli-pro/env/environments/default/secrets
  • Triggering command: ./target/debug/with-env run default bash -c echo "TEST_VAR=$TEST_VAR" (http block)
  • Triggering command: ./target/debug/with-env echo Hello from with-env! (http block)
  • Triggering command: ./target/release/with-env /tmp/test_shorthand.sh (http block)
• https://api.github.com/repos/tilli-pro/env/environments/staging/secrets
  • Triggering command: ./target/release/with-env run staging /tmp/test_env_script.sh (http block)
  • Triggering command: ./target/release/with-env run staging bash -c echo "Database: $DATABASE_URL" (http block)
• https://api.github.com/repos/tilli-pro/env/environments/test/secrets
  • Triggering command: ./target/debug/with-env run test /tmp/check_env.sh (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

We want to build a Rust CLI application that does the following:

• manages secrets and environments for GitHub repositories for an individual organization
• is able to push audit related information for accessing and changing secrets/ environments to a specified URL
• can be invoked while within a git repository to run a bash command with env variables from a given environment (e.g. with-env pnpm start would result in this being run: ENV_VAR_A=x ENV_VAR_Y=b ENV_VAR_ETC=c pnpm start)

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[changeset-bot]

⚠️ No Changeset found

Latest commit: b3fecb0

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[GeorgeIpsum]

I have no idea what I'm reading but it looks cool