OverviewInstallFirst commandAuthenticateInject secretsUse in CI/CDTerminal UIExport dotenvGenerate TOTPCommandsTroubleshooting
GUIDEGuide

Use in CI/CD

movitera run delivers Vault secrets straight to your build, test, or deploy step — with no .env in the repository and no secrets scattered across your CI provider settings.

How it works in CI

  1. 1

    Create a token in the web app.

    Generate an access token and copy the value. It replaces browser login, which a runner doesn't have.

  2. 2

    Store the token as a CI provider secret.

    Add the value to your provider's secret store (GitHub Actions, GitLab, CircleCI) and expose it as MOVITERA_TOKEN in the job.

  3. 3

    Run `movitera run` in the pipeline.

    The command fetches the ENV_BUNDLE and hands the keys to your process. The values never appear in the log or land on disk.

    bash
    movitera run -t <team-id> -c myapp-prod -- ./deploy.sh

Examples by provider

Deploy with Vault secrets

Store the token under Settings → Secrets as MOVITERA_TOKEN. The job installs the CLI and runs the deploy with the bundle keys in its environment.

bash
# .github/workflows/deploy.yml
jobs:
  deploy:
    runs-on: ubuntu-latest
    env:
      MOVITERA_TOKEN: ${{ secrets.MOVITERA_TOKEN }}
      MOVITERA_TEAM: <team-id>
    steps:
      - uses: actions/checkout@v4
      - run: pipx install movitera-cli
      - run: movitera run -c myapp-prod -- ./deploy.sh

Point to the team and credential

Set the team with MOVITERA_TEAM or -t <team-id> and the credential with -c <bundle>, so the job doesn't depend on any local configuration.

Failures stop the pipeline

If the token is invalid or the credential is missing, movitera run exits with an error and the pipeline stops before it ships a build without secrets. The values are never printed to the log.

Next

Inject secretsExport dotenv