Client Secrets: CI/CD Integration Guide

Bulletproof Infrastructure Automation

Stop your CI/CD pipelines from breaking due to authentication issues. Client Secrets provide reliable, secure automation for infrastructure deployments across all major platforms.

Create Your First Secret View Documentation
Zero-Prompt Authentication
# Works everywhere, every time
ipm sync --non-interactive
ipm status --non-interactive
✅ No login prompts, no failures

The CI/CD Authentication Problem

Your infrastructure automation keeps failing because:

No visibility on PAT token usage

No central place to view and manage your PAT tokens

Token Expiration

Personal tokens expire during critical releases with no warning for easy renewal

Complex Auth Methods

Different auth methods for different environments create complexity

No Access Control

No way to control what automation can actually do

The Client Secrets Solution

Purpose-built authentication that just works in automation

Central management of organization tokens

Insights on all organizational secrets lifetime and usage.

Organization Tokens

Not tied to individual users. Tokens survive employee changes and don't break when someone leaves

Universal Platform Support

Works across all CI/CD platforms with the same configuration

Role-Based Permissions

Viewer vs Contributor roles control exactly what automation can do

Quick Start: Azure DevOps

Get up and running in under 5 minutes

1
Create Client Secret
  1. • Go to IPMHub Portal → Organizations → Your Org → Settings → Client Secrets
  2. • Create new secret with appropriate role (Viewer for downloads, Contributor for publishing)
  3. • Copy the secret value (you won't see it again)
2
Add to Azure DevOps
  1. Go to Pipelines → Library → Variable groups
  2. Create new group called "ipm-secrets"
  3. Add variable IPM_CLIENT_SECRETS and mark as secret
  4. Paste your client secret value
  5. Save and link to your pipeline
3
Pipeline Integration
# Add to your pipeline variables
variables:
- group: ipm-secrets  # Variable group
Complete Pipeline Example
trigger:
- main

pool:
  vmImage: 'ubuntu-latest'

variables:
- group: ipm-secrets

steps:
- bash: |
    curl -Lo ipm-cli.tar.gz \
      "https://github.com/ipmhubio/ipm/releases/latest/download/ipm-linux-x64-full.tar.gz"
    tar -xzf ipm-cli.tar.gz
    sudo mv ./ipm /usr/local/bin/ipm
  displayName: 'Install IPM CLI'

- bash: |
    ipm sync --non-interactive
  displayName: 'Sync Infrastructure'
  env:
    IPM_CLIENT_SECRETS: $(IPM_CLIENT_SECRETS)

Quick Start: GitHub Actions

Secure secrets management for GitHub workflows

1
Create Client Secret
  1. • Go to IPMHub Portal → Organizations → Your Org → Settings → Client Secrets
  2. • Create new secret with appropriate role (Viewer for downloads, Contributor for publishing)
  3. • Copy the secret value (you won't see it again)
2
Add Secret to Repository
  1. • Go to your repository Settings
  2. • Select Secrets and Variables → Actions
  3. • Click "New repository secret"
  4. • Name: IPM_CLIENT_SECRETS
  5. • Value: Your client secret from IPMHub
3
Workflow Integration

Reference secrets securely in your workflow files using GitHub's secrets context

Complete Workflow Example
name: Infrastructure Deployment
on:
  push:
    branches: [main]
  workflow_dispatch:

jobs:
  deploy-infrastructure:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout repository
      uses: actions/checkout@v4

    - name: Install IPM CLI
      run: |
        curl -Lo ipm-cli.tar.gz \
          "https://github.com/ipmhubio/ipm/releases/latest/download/ipm-linux-x64-full.tar.gz"
        tar -xzf ipm-cli.tar.gz
        sudo mv ./ipm /usr/local/bin/ipm

    >- name: Sync Infrastructure Packages
      env:
        IPM_CLIENT_SECRETS: ${{ secrets.IPM_CLIENT_SECRETS }}
      run: |
        ipm sync --non-interactive

    >- name: Check Package Status
      env:
        IPM_CLIENT_SECRETS: ${{ secrets.IPM_CLIENT_SECRETS }}
      run: |
        ipm status --non-interactive
Organization-Level Secrets

For multiple repositories, create organization-level secrets:

  1. Go to Organization Settings → Secrets and Variables → Actions
  2. Add IPM_CLIENT_SECRETS as organization secret
  3. Select which repositories can access it
  4. Reference the same way in workflows

Advanced Integration Patterns

Power-user techniques for complex deployments

Workspace Status Checks
# Verify workspace health before deployment
- name: Check Infrastructure Status
  env:
    IPM_CLIENT_SECRETS: ${{ secrets.IPM_SECRET }}
  run: |
    ipm sync --non-interactive
Multiple Organization Access
# GitHub Actions - Access packages from different orgs
- name: Sync Multi-Org Infrastructure
  env:
    IPM_CLIENT_SECRETS: ${{ secrets.ORG_A_SECRET }} ${{ secrets.ORG_B_SECRET }}
  run: |
    ipm add --packages \
      orgA/networking \
      orgB/security \
      --non-interactive
Publishing in CI/CD
# Publish new versions automatically
- name: Publish Package Update
  env:
    IPM_CLIENT_SECRETS: ${{ secrets.IPM_CONTRIBUTOR_SECRET }}
  run: |
    ipm publish --package myorg/infrastructure \
      --version ${{ github.run_number }} \
      --folder ./build --non-interactive

Platform-Specific Examples

Ready-to-use configurations for popular CI/CD platforms

Jenkins Pipeline
pipeline {
    agent any
    environment {
        IPM_CLIENT_SECRETS = credentials('ipm-client-secret')
    }
    stages {
        stage('Install IPM') {
            steps {
                sh '''
                    curl -Lo ipm-cli.tar.gz \
                      "https://github.com/ipmhubio/ipm/releases/latest/download/ipm-linux-x64-full.tar.gz"
                    tar -xzf ipm-cli.tar.gz
                    sudo mv ./ipm /usr/local/bin/ipm
            '''
            }
        }
        stage('Deploy Infrastructure') {
            steps {
                sh '''
                    ipm sync --non-interactive
                    ipm status --non-interactive
            '''
            }
        }
    }
}
GitLab CI
stages:
  - infrastructure

variables:
  IPM_CLIENT_SECRETS: $GITLAB_IPM_SECRET

install_ipm:
  stage: infrastructure
  script:
    - curl -Lo ipm-cli.tar.gz \
      "https://github.com/ipmhubio/ipm/releases/latest/download/ipm-linux-x64-full.tar.gz"
    - tar -xzf ipm-cli.tar.gz
    - mv ./ipm /usr/local/bin/ipm
    - ipm sync --non-interactive
    - ipm status --non-interactive
CircleCI
version: 2.1

jobs:
  deploy-infrastructure:
    docker:
      - image: ubuntu:latest
    steps:
      - checkout
      - run:
          name: Install IPM CLI
          command: |
            curl -Lo ipm-cli.tar.gz \
              "https://github.com/ipmhubio/ipm/releases/latest/download/ipm-linux-x64-full.tar.gz"
            tar -xzf ipm-cli.tar.gz
            mv ./ipm /usr/local/bin/ipm
      - run:
          name: Sync Infrastructure
          command: ipm sync --non-interactive
          environment:
            IPM_CLIENT_SECRETS: $CIRCLE_IPM_SECRET

workflows:
  deploy:
    jobs:
      - deploy-infrastructure

Role-Based Access Patterns

Fine-grained permissions for different automation needs

Viewer Role (Download Only)

Perfect for deployment pipelines that need to pull infrastructure:

# These commands work with Viewer role
ipm add --package company/infrastructure --non-interactive
ipm sync --non-interactive
ipm status --non-interactive
ipm info --package company/infrastructure --non-interactive
Contributor Role (Full Access)

For pipelines that need to publish updates:

# All Viewer commands plus:
ipm publish --package company/infrastructure \
  --version 1.2.3 --folder ./ --non-interactive
Multi-Role Strategy
# Different secrets for different purposes
- name: Download Infrastructure
  env:
    IPM_CLIENT_SECRETS: ${{ secrets.IPM_VIEWER_SECRET }}
  run: ipm sync --non-interactive

- name: Publish Updates
  env:
    IPM_CLIENT_SECRETS: ${{ secrets.IPM_CONTRIBUTOR_SECRET }}
  run: ipm publish --package myorg/infrastructure \
    --version ${{ github.run_number }} --folder ./build --non-interactive

Security Best Practices

Keep your automation secure and compliant

Secret Storage
  • Always use your CI/CD platform's secure secret storage
  • Never commit client secrets to source control
  • Use environment variables, not hardcoded values
  • Rotate secrets before they expire
Access Control
  • Use Viewer role unless publishing is required
  • Create separate secrets for different workflows
  • Limit secret access to necessary repositories/pipelines
  • Monitor secret usage through IPMHub analytics
Operational Security
  • Set appropriate expiration periods (max 24 months)
  • Enable notifications before expiration
  • Document where each secret is used
  • Remove unused secrets promptly

Integration Checklist

Step-by-step implementation guide

Before You Start
Setup Process
Post-Implementation

Ready to Bulletproof Your Infrastructure Automation?

Stop letting authentication break your deployments. Get Client Secrets set up in under 5 minutes.

Create Your First Client Secret View Full Documentation
Available in Business and Enterprise plans • Role-based permissions • Secure automation