Skip to main content
Doppler holds the values. Everything else is delivery.

What goes in Doppler

  • AI provider keys: AI_TOKEN, COPILOT_GITHUB_TOKEN, HF_TOKEN, plus provider-specific keys when a tool cannot use the shared AI_TOKEN convention.
  • GitHub App credentials: GH_APP_CLAUDE_BOT_*, the SSH signing key for Actions-signed commits.
  • Slack webhooks (broadcast and per-channel).
  • Infrastructure runtime config: database passwords, RunsOn license, Qdrant credentials.

What does not go in Doppler

  • SSH keys for git auth (lives in Bitwarden + ssh-agent).
  • Recovery codes, account passwords, age-key escrow (Bitwarden).
  • Anything an AI tool must never read (Bitwarden vault).
  • macOS-only GitHub PATs (Keychain — see macos-keychain).

Project / config layout

Three Doppler projects, three delivery modes — each lands in a different consumer.
Doppler projectDelivery modeConsumer
secrets-syncAuto-sync → GitHub Actions secrets on the secrets-sync reposecrets-sync workflow fans out (Tier 1)
infra-project/prdRuntime fetch via dopplerhq/secrets-fetch-actionInfra CI jobs (Tier 2 — values never sit in GitHub)
ai-ci-automation/prddoppler run -- wrapper at subprocess launchLocal dev + the doppler-mcp bridge

Runtime fetch via GitHub Actions

For Tier 2 secrets that must never sit in GitHub Actions stores: 
- uses: dopplerhq/secrets-fetch-action@v1
  with:
    doppler-token: ${{ secrets.DOPPLER_TOKEN }}
    inject-env-vars: true
That DOPPLER_TOKEN service token is itself a Tier 1 secret distributed by secrets-sync to the two _infra_repos: ansible-proxmox-apps and tofu-runs-on.

Local-dev chain

The canonical chain pairs AWS Vault with Doppler so an MFA-protected AWS session wraps the Doppler injection: 
aws-vault exec tf-proxmox -- doppler run -- terragrunt plan
Secrets injection happens at terragrunt’s subprocess launch — no values touch your shell history or environment. For OpenTofu variables specifically, Doppler’s name-transformer flag prefixes everything as TF_VAR_*: 
doppler run --name-transformer tf-var -- terragrunt plan

Anti-patterns and best practices

  • Do not export DOPPLER_TOKEN in ~/.zshrc. Use the doppler-mcp wrapper or doppler login interactive auth. Tokens persisted in the shell env are reachable by every later command.
  • Do not store the same value in both Doppler and the Keychain. Pick one source of truth per secret. The Keychain is for tokens that only the macOS host uses (GitHub PATs); Doppler is for tokens that CI also needs.
  • Rotate the service tokens at 90 days. The rotation runbook lives in secrets-sync.
  • Audit log: enable Doppler’s per-project audit log; review on every PAT/key rotation.

See also

  • secrets-sync — Tier 1 distribution.
  • aws-vault — the wrapping layer for the local-dev chain.
  • BWS — alternative for AI-specific OAuth tokens where Doppler is not yet wired up.
  • docs.dryvist.com — dryvist-internal project / config names.