This is a submission for the Pulumi Deploy and Document Challenge: Shhh, It's a Secret!
Hey everyone! π
This is my submission for the Pulumi Deploy and Document Challenge, under the βShhh, Itβs a Secret!β prompt.
π¦ Source Code: GitHub Repository
π οΈ Stack: Node.js, TypeScript, Pulumi ESC, GitHub API
π‘ The Idea
As a developer, I interact with GitHub constantly β checking repositories, creating new ones, managing project metadata, and so on. So I built a simple but useful command-line interface (CLI) to streamline those interactions.
But I didnβt want just another CLI tool β I wanted it to be secure, modular, and real-time configurable. Thatβs where Pulumi ESC (Environments, Secrets, and Configuration) came in.
π Why Pulumi ESC?
Pulumi ESC made it easy to keep things secure without compromising on flexibility.
Instead of relying on .env files or hardcoded values, this CLI securely pulls secrets like the GitHub token from ESC environments at runtime β meaning:
- No secrets are exposed in the codebase or shell
- Secrets can be centrally managed, rotated, and audited
- The CLI can be reused across projects and teams with minimal config
- I can update or revoke secrets remotely, with zero redeploys
In short: ESC provides centralized, secure, and scalable secret management β perfect for both solo devs and teams.
π§ What the CLI does
Right now, this CLI provides an interactive GitHub experience straight from the terminal:
- π¦ List repositories
- π Get repo details
- π View insights
- π Create a new repo
- βοΈ Update repo name/description/visibility
- ποΈ Delete a repo
All of these actions are authenticated via ESC-managed secrets β making it safer by design.
The app is cleanly organized with a simple controller-service-view structure to keep things maintainable and extendable.
π Whatβs next?
This is still a lightweight tool, but Iβm excited about extending it with:
- π Issue tracking from the CLI
- π Pull request insights and review commands
- π₯ Team/member management
- βοΈ Workflows and Actions overview
- π Integration with GitHub metrics or activity dashboards
Each of these features would benefit from Pulumi ESC as they scale β providing secure and consistent access to different environments and tokens.
π§ Final Thoughts
This project is simple, but it gave me a great hands-on experience with Pulumi ESC and showed how valuable it can be in real-world tooling β especially for developers who want to build secure, scriptable workflows with minimal overhead.
Pulumi ESC is a powerful secret and configuration platform that bridges security and usability. Whether youβre a solo developer or part of a large engineering team, having centralized control over secrets β without ever storing them in code β is a huge win.
Thanks to Pulumi and DEV for creating this challenge! I'm excited to keep exploring what's possible. π
Top comments (2)
To further improve security, consider using the ESC "gh-login" provider.
The gh-login provider enables you to log in to GitHub using GH App credentials, based on a private key stored within the environment definition.
Users of the CLI would then obtain short-term access tokens (not the private key) to access the GitHub API. Note that the user's permissions would be based on that of the GH App, not based on a PAT as is demonstrated in the article.
Thanks for sharing this fun and useful project!
Hi Eron, Thanks so much for your valuable feedback! I really appreciate you taking the time to check out the project.
I wasnβt familiar with the gh-login provider before, but itβs definitely a great suggestion for improving security by using short-term access tokens instead of PATs. Iβll definitely look into it and consider implementing it in future projects.
Thanks again for the helpful tip, and Iβm glad you found the project fun and useful! Best π