最終更新: 2026/06/22 19:15
commonid: rq-085-auth-secret-consolidation-prompttype: promptstatus: active

Research Question

How should a solo-developer monorepo unify authentication and secret management across four surfaces — Cloudflare Workers, Google Apps Script (clasp), GitHub Actions CI, and a local macOS dev environment — to eliminate credential sprawl and "auth expired without warning" failures?

[Scope: consolidation strategy and credential lifecycle for a 1-dev team. NOT end-user auth, NOT the compliance posture of stored business data, NOT external accounting-SaaS (freee/MF) OAuth.]

Context

A single Git monorepo with these deploy/automation surfaces, each authenticating differently:

  • GAS deploy (clasp): user OAuth token in a GitHub secret and ~/.clasprc.json; needs periodic manual re-auth.
  • Local Google API scripts (Sheets/Drive): OAuth2 token.json + refresh token; observed silently expired.
  • LLM API keys (Anthropic, Gemini, OpenAI): same keys duplicated across .env, macOS Keychain, GitHub Actions secrets, a LiteLLM gateway config, and wrangler secrets (up to 5 places).
  • Cloudflare (Workers/Pages deploy): API token in GitHub secrets + wrangler.
  • Internal Decision-Pipeline Worker: protected by HTTP Basic auth (user:password) passed from CI and a Keychain-sourced local script.

Pain: secrets duplicated with no single source of truth; some auth needs interactive/browser flows CI cannot do; recurring manual re-auth; expiry noticed only after failure; the Basic-auth deploy path is opaque. Constraints: solo dev, cost-sensitive (prefer free tiers / native to Google+Cloudflare+GitHub), low operational overhead.

Questions

  1. Single-source-of-truth tool: Compare Doppler, Infisical (incl. self-host), Google Secret Manager, and Cloudflare Secrets Store for syncing the same secrets to GitHub Actions, a local shell, and wrangler. Score each on sync coverage of those three consumers, solo-dev cost, setup/operational overhead, and blast radius if the tool is down.
  2. Stopping recurring OAuth re-auth: Quantify how the Google OAuth consent-screen publishing status (Testing vs Production vs Internal) affects refresh-token lifetime, and when a service account (incl. domain-wide delegation) can replace user OAuth for the Apps Script API and Sheets/Drive.
  3. Keyless CI: Is GitHub Actions OIDC + Google Workload Identity Federation (and scoped Cloudflare tokens) worthwhile to remove long-lived CI secrets, given clasp deploy and Workers deploy specifically? Identify hard blockers (e.g. clasp not supporting service-account/OIDC).
  4. Replacing internal Basic auth: Best practice to protect an internal Cloudflare-hosted Worker called from CI and locally — Cloudflare Access service tokens vs Basic auth vs mTLS — and how each integrates with GitHub Actions.
  5. Proactive expiry detection: Patterns to detect credential/token expiry before breakage (canary checks, expiry scanning, scheduled validation) and alert (Slack / GitHub issue) for a solo-dev setup.

Output

  • Executive summary (3–5 key findings + decisive recommendations)
  • Per-question analysis with concrete, measurable answers
  • A decision matrix table for Question 1 (rows = tools, columns = the four criteria)
  • Priority ranking: must-have / should-have / nice-to-have
  • References with URLs (official docs preferred)