feat: restore direnv (env+secrets) alongside mise (tools)#33
Merged
Conversation
Reverses PR #32's direnv exclusion. Studying the real infra repo (vaintrub/infra) showed a deliberate committed .envrc using direnv-1password (from_op) to inject Cloudflare/Hetzner/DO/GitHub provider tokens + OP_SERVICE_ACCOUNT_TOKEN + AWS SSO profile — which mise cannot replace (no native op://; mise hooks don't unload on cd-out) and 1Password shell plugins don't cover (they auth CLI binaries, not terraform-provider env). Removing direnv broke that repo. mise's 'don't use both' applies only when both manage the same tool; an env/secrets-only direnv is officially safe. Division: mise = tool versions, direnv = per-project env + secrets; never direnv layout/PATH_add for tools. Adds aqua:direnv/direnv to mise + direnv hook at end of dot_zshrc (after prompt + ~/.zshrc_local, per direnv docs).
direnv prints 'direnv: loading …/.envrc' on shell start in an .envrc dir (tmux panes, SSH into a project). With instant prompt 'verbose' that benign output triggers a console-output warning every time. 'quiet' keeps instant prompt on without the false warning. Completes the direnv coexistence.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Reverses #32. Real-world study of
vaintrub/infra(the IaC repo) showed direnv is genuinely needed, and our exclusion broke it.Finding
infra/.envrc(committed, SHA-pinned) uses direnv-1passwordfrom_opto injectCLOUDFLARE_API_TOKEN/HCLOUD_TOKEN/DIGITALOCEAN_TOKEN/GH_TOKENfromop://Infrastructure/..., plusOP_SERVICE_ACCOUNT_TOKEN(headless-safe) +AWS_PROFILE(SSO). Tools come from.tool-versions(mise).Why mise/plugins can't replace it
op://; mise[hooks] enterleak (no cleanup on cd-out) — unsafe for secrets.Why it's safe
mise docs: env-only direnv is fine; conflict is only when both manage the same tool. Division: mise = tool versions, direnv = env + secrets; never direnv layout/PATH_add.
Change
aqua:direnv/direnvadded to mise (static Go binary, arm64/glibc-safe).direnv hook zshat end ofdot_zshrc(after prompt +~/.zshrc_local).Verified:
zsh -nclean, mise renders valid TOML,aqua:direnv/direnvresolves (2.37.1).