Claude Code Plugins

Community-maintained marketplace

Feedback

doppler-workflows

@terrylica/cc-skills
2
0

Manages credentials and publishing workflows via Doppler. Use when publishing Python packages to PyPI, rotating AWS credentials, or managing secrets with Doppler.

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name doppler-workflows
description Manages credentials and publishing workflows via Doppler. Use when publishing Python packages to PyPI, rotating AWS credentials, or managing secrets with Doppler.
allowed-tools Read, Bash

Doppler Credential Workflows

Quick Reference

When to use this skill:

  • Publishing Python packages to PyPI
  • Rotating AWS access keys
  • Managing credentials across multiple services
  • Troubleshooting authentication failures (403, InvalidClientTokenId)
  • Setting up Doppler credential injection patterns
  • Multi-token/multi-account strategies

Core Pattern: Doppler CLI

Standard Usage:

doppler run --project <project> --config <config> --command='<command>'

Why --command flag:

  • Official Doppler pattern (auto-detects shell)
  • Ensures variables expand AFTER Doppler injects them
  • Without it: shell expands $VAR before Doppler runs → empty string

Quick Start Examples

PyPI Publishing

doppler run --project claude-config --config dev \
  --command='uv publish --token "$PYPI_TOKEN"'

AWS Operations

doppler run --project aws-credentials --config dev \
  --command='aws s3 ls --region $AWS_DEFAULT_REGION'

Best Practices

  1. Always use --command flag for credential injection
  2. Use project-scoped tokens (PyPI) for better security
  3. Rotate credentials regularly (90 days recommended)
  4. Document with Doppler notes: doppler secrets notes set <SECRET> "<note>"
  5. Use stdin for storing secrets: echo -n 'secret' | doppler secrets set
  6. Test injection before using: echo ${#VAR} to verify length
  7. Multi-token naming: SERVICE_TOKEN_{ABBREV} for clarity

Reference Documentation

For detailed information, see:

Bundled Specifications:

  • PYPI_REFERENCE.yaml - Complete PyPI spec
  • AWS_SPECIFICATION.yaml - AWS credential architecture

Using mise [env] for Local Development (Recommended)

For local development, mise [env] provides a simpler alternative to doppler run:

# .mise.toml
[env]
# Fetch from Doppler with caching for performance
PYPI_TOKEN = "{{ cache(key='pypi_token', duration='1h', run='doppler secrets get PYPI_TOKEN --project claude-config --config prd --plain') }}"

# For GitHub multi-account setups
GH_TOKEN = "{{ read_file(path=env.HOME ~ '/.claude/.secrets/gh-token-accountname') | trim }}"

When to use mise [env]:

  • Per-directory credential configuration
  • Multi-account GitHub setups
  • Credentials that persist across commands (not session-scoped)

When to use doppler run:

  • CI/CD pipelines
  • Single-command credential scope
  • When you want credentials auto-cleared after command

See `mise-configuration` skill for complete patterns.

PyPI Publishing Policy

For PyPI publishing, see `pypi-doppler` skill for LOCAL-ONLY workspace policy.

Do NOT configure PyPI publishing in GitHub Actions or CI/CD pipelines.