This document provides step-by-step instructions for setting up 1Password integration with Terraphim AI's auto-update system.
Terraphim AI uses 1Password to securely manage:
- Tauri signing keys for desktop application updates
- GitHub release tokens for CI/CD
- All deployment secrets without exposing them in code
-
1Password CLI installed:
# macOS brew install --cask 1password-cli # Linux curl -sS https://downloads.1password.com/linux/keys/1password.asc | \ sudo gpg --dearmor --output /usr/share/keyrings/1password-archive-keyring.gpg
-
1Password account with admin access
-
GitHub repository with admin permissions
The easiest way to set up 1Password integration is to use the automated setup script:
./scripts/setup-1password-secrets.shThis script will:
- Create the "Terraphim-Deployment" vault
- Generate Tauri signing keys
- Store secrets in 1Password
- Update configuration files
- Provide next steps
If you prefer manual setup or need to troubleshoot:
# Sign in to 1Password CLI
op signin
# Create dedicated vault for deployment secrets
op vault create "Terraphim-Deployment"cd desktop
npm run tauri signer generate -- -w tauri-private.key
# Extract public key
npm run tauri signer show-public-key < tauri-private.key# Store Tauri signing keys
op item create \
--category "API Credential" \
--title "Tauri Update Signing" \
--vault "Terraphim-Deployment" \
--field "label=TAURI_PRIVATE_KEY,type=concealed,value=$(cat tauri-private.key)" \
--field "label=TAURI_KEY_PASSWORD,type=concealed,value=$(openssl rand -base64 32)" \
--field "label=TAURI_PUBLIC_KEY,type=text,value=$(npm run tauri signer show-public-key < tauri-private.key)"
# Store GitHub token
op item create \
--category "API Credential" \
--title "GitHub Release Token" \
--vault "Terraphim-Deployment" \
--field "label=GITHUB_TOKEN,type=concealed,value=YOUR_GITHUB_TOKEN"
# Clean up temporary key file
rm tauri-private.key- Go to 1Password web interface
- Navigate to Developer Tools > Service Accounts
- Click "Create Service Account"
- Name: "Terraphim CI/CD"
- Description: "Service account for Terraphim AI automated deployments"
- In the service account settings, add vault access:
- Vault: Terraphim-Deployment
- Permissions: Read
- Copy the service account token (starts with 'ops_...')
- Add to GitHub repository secrets:
- Go to repository Settings > Secrets and variables > Actions
- Click "New repository secret"
- Name:
OP_SERVICE_ACCOUNT_TOKEN - Value: [paste the copied token]
# Test 1Password CLI access
op whoami
# Test vault access
op vault get "Terraphim-Deployment"
# Test secret retrieval
op item get "Tauri Update Signing" --vault "Terraphim-Deployment" --field "TAURI_PUBLIC_KEY"
# Test environment injection
op run --env-file=.env.tauri-release -- echo "Secrets loaded successfully"# Test local build with signing
./scripts/build-with-signing.sh
# Test release script (dry run)
./scripts/release-all.sh 0.2.1 --dry-runTest the GitHub Actions workflow by creating a test release:
# Create test tag
git tag -a "test-v0.2.0-alpha" -m "Test auto-update setup"
git push origin "test-v0.2.0-alpha"Monitor the GitHub Actions workflow to ensure:
- 1Password CLI authenticates successfully
- Secrets are injected properly
- Tauri builds and signs correctly
- Release artifacts are created
- Build and install the desktop app locally
- Create a new release
- Launch the app and check for updates via the menu
- Verify update process works end-to-end
# Test CLI update check
./target/release/terraphim_server --update-check
# Test CLI update installation
./target/release/terraphim_server --update- Service accounts have read-only access to specific vaults
- No personal credentials in CI/CD environments
- Regular key rotation schedule
- Monitor 1Password access logs
- Review service account usage regularly
- Set up alerts for unusual access patterns
Rotate signing keys every 6 months or if compromised:
# Generate new keys
./scripts/setup-1password-secrets.sh
# Update GitHub secrets if needed
# Test with a pre-release build
# Deploy new keys with next release-
"Not authenticated with 1Password"
op signin
-
"Cannot access vault 'Terraphim-Deployment'"
# Check vault exists op vault list # Verify permissions op vault get "Terraphim-Deployment"
-
"Failed to inject secrets"
# Check template file exists ls desktop/src-tauri/tauri.conf.json.template # Verify secret references op item get "Tauri Update Signing" --vault "Terraphim-Deployment"
-
"GitHub Actions failing"
- Verify
OP_SERVICE_ACCOUNT_TOKENis set in repository secrets - Check service account has proper vault access
- Review GitHub Actions logs for specific errors
- Verify
# Check 1Password CLI version
op --version
# List all vaults
op vault list
# List items in deployment vault
op item list --vault "Terraphim-Deployment"
# Test service account locally
export OP_SERVICE_ACCOUNT_TOKEN="ops_..."
op item get "Tauri Update Signing" --vault "Terraphim-Deployment"- 1Password CLI Documentation
- 1Password Service Accounts
- Tauri Updater Guide
- GitHub Actions with 1Password
If you encounter issues with the 1Password setup:
- Check the troubleshooting section above
- Review the GitHub Actions logs
- Verify all prerequisites are met
- Create an issue in the repository with:
- Steps to reproduce
- Error messages (without sensitive data)
- Environment details (OS, 1Password CLI version, etc.)