CI/CD Integrations

QuantumVault ships first-party plugins so your pipelines and clusters can fetch secrets at runtime without ever storing them in plaintext. The CI/CD side covers GitHub Actions, GitLab CI, and Azure DevOps; the runtime side adds a Kubernetes operator that materializes secrets straight into native Secret objects.

Every plugin authenticates with a single QuantumAPI API key (no JWT, no second credential), looks up secrets either by id or by name, and masks the resolved values in the job log so they cannot be echoed accidentally.

Azure DevOps

QuantumAPISecrets@1 task — service connection or secure-file auth, retry, name fallback, double-masked variables.

GitHub Actions

victorZKov/quantumapi-secrets-action@v1 — published on the GitHub Actions Marketplace. Dotenv output file + job-scoped cache (cache key = SHA-256 of sorted secret map).

GitLab CI

Hosted GitLab CI template — sources resolved values from QAPI_SECRETS_FILE; job-local QAPI_INJECTED_<VAR> memo markers.

Azure DevOps — QuantumAPISecrets@1

The Azure DevOps task is shipped today as source under src/integrations/azure-devops/ in the QuantumAPI monorepo — Visual Studio Marketplace publication is tracked at the bottom of this page. Once installed in your pipeline library, add a single step to your azure-pipelines.yml. The task is written in TypeScript, ships with 37 unit tests, and supports automatic retry with exponential backoff (default 3 attempts).

The API key can be supplied through three sources, in priority order: a Service Connection at organisation level (recommended for teams), a Secure File uploaded to the pipeline library, or a pipeline variable / variable group entry. Secrets in the map can reference an id (sec_…) or a name (name:my-secret) — name lookups fall back to list+filter automatically.

azure-pipelines.yml

steps:
  - task: QuantumAPISecrets@1
    inputs:
      # Service connection (recommended) — stores qapi_sk_... at the org level
      serviceConnection: 'quantumapi-prod'
      # Or pull the API key from a Secure File:
      # secureFile: 'quantumapi.key'
      # Or a pipeline variable / variable group:
      # apiKey: $(QAPI_API_KEY)

      # Either fetch by id OR by name (with automatic fallback to list+filter)
      secrets: |
        DATABASE_URL = sec_abc123
        STRIPE_KEY   = name:stripe-prod
      retryCount: 3        # default 3
      retryDelayMs: 500    # exponential backoff

Resolved values are double-masked in the job log via tl.setSecret() AND setVariable(., true). Even if a script echoes a variable explicitly, Azure DevOps will print *** instead of the secret.

GitHub Actions — victorZKov/quantumapi-secrets-action@v1

The official GitHub Action fetches QuantumVault secrets at job time and exposes them either as masked job environment variables or as a dotenv-style file your subsequent steps can source.

.github/workflows/deploy.yml

steps:
  - name: Fetch QuantumAPI secrets
    id: qapi
    uses: victorZKov/quantumapi-secrets-action@v1
    with:
      api-key: ${{ secrets.QAPI_API_KEY }}
      secret-paths: |
        DATABASE_URL=prod/db/url
        STRIPE_KEY=prod/stripe/api_key
      # Optional: write the resolved values to a dotenv-style file (mode 0600).
      # Caller is responsible for cleanup.
      secrets-file: ${{ runner.temp }}/qapi.env
      # Optional: memoize the resolved values for the duration of the job.
      # Cache key is SHA-256 of the sorted KEY=path map.
      cache: true

  - name: Use the secrets file
    run: |
      set -a; source "${{ runner.temp }}/qapi.env"; set +a
      ./deploy.sh
    # Skip if a previous step in this job already fetched the same set of paths
    if: steps.qapi.outputs.cache-hit != 'true'

Two outputs are exposed: injected-vars is the comma-separated list of environment variable names that were set, and cache-hit is true when a previous step in this job already fetched the same set of paths. The cache key is the SHA-256 of the sorted KEY=path map, so adding, removing, or re-pointing any path automatically invalidates it. The path you pass to secrets-file is yours to read back — there is no separate output for it.

GitLab CI — hosted template

GitLab pipelines pull a hosted template (raw URL, version-pinned tag) and only need to set QAPI_API_KEY plus a list of secrets to resolve. The template injects resolved values into the job environment.

.gitlab-ci.yml

include:
  - remote: 'https://docs.quantumapi.eu/integrations/gitlab-ci/v0.1.1.yml'

deploy:
  stage: deploy
  extends: .quantumapi-secrets
  variables:
    QAPI_API_KEY: $QAPI_API_KEY  # masked CI/CD variable
    QAPI_SECRET_PATHS: |
      DATABASE_URL=prod/db/url
      STRIPE_KEY=prod/stripe/api_key
    # Optional: write resolved values to a dotenv file the job can source (mode 0600).
    QAPI_SECRETS_FILE: '$CI_PROJECT_DIR/qapi.env'
  script:
    # Each resolved secret is also exported as QAPI_INJECTED_<VAR>=1 for in-job memoization
    - set -a && source "$QAPI_SECRETS_FILE" && set +a
    - ./deploy.sh

Two design choices worth knowing: QAPI_SECRETS_FILE writes the resolved values to a dotenv file (instead of inline export statements, which avoids a latent subshell-export bug in older shells), and the template exports QAPI_INJECTED_<VAR>=1 markers so subsequent steps inside the same job can detect already-loaded secrets and skip duplicate API calls.

Publication status

Publication of the four CI/CD integrations across their respective marketplaces is tracked in #676. As of v0.20.x, status is:

GitHub Action — published. Listed on the GitHub Actions Marketplace at victorZKov/quantumapi-secrets-action; pin to @v1 (rolling) or @v1.0.0 (immutable). Source-of-truth lives in the QuantumAPI monorepo and is mirrored on every gh-action/v* tag.
GitLab CI template — published. Pinned URL: https://docs.quantumapi.eu/integrations/gitlab-ci/v0.1.1.yml. Include it via include: { remote: ... } as shown above.
Kubernetes operator — multi-arch image at ghcr.io/victorzkov/quantumapi-k8s-operator (linux/amd64 + linux/arm64), Sigstore keyless-signed (verifiable with cosign verify). Apply via kubectl apply -f https://docs.quantumapi.eu/integrations/k8s-operator/v0.1.0/install.yaml (or .../latest/install.yaml for the rolling stable channel).
Azure DevOps task — published. Listed on the Visual Studio Marketplace at https://marketplace.visualstudio.com/items?itemName=QuantumAPI.quantumapi-secrets. Install via the Marketplace UI or pin QuantumAPISecrets@1 in your azure-pipelines.yml.
Terraform provider — code shipped, HashiCorp Registry publication pending (GPG signing + goreleaser). Use the source repo until the registry listing lands.