Kamal + GitHub Actions: Integrating 1Password CLI for deployments

byElvinas Predkelis

February 12, 2025

If you've tried using Kamal, chances are you've scratched your head trying to set up your application secrets nicely for different environments.The kamal deploy works great when manually deploying from your machine, but it doesn't "just work" when deploying via CI/CD workflows.

This lesson will shed some light on setting up a smooth deployment process. We'll use 1Password CLI to achieve this.

Prerequisites

For the sake of brevity, I will assume that you've already used Kamal and tried setting up a CI/CD workflow. I will also assume you're already using 1Password — it's an amazing product, and our team uses it daily.

If not, try heading to Kamal's website first and watch the video on how it works. It's an amazing starting point.

Setting up a service account

This part of the article is rather straightforward. But just in case, these are the steps to take:

  1. Go to your 1Password dashboard. It should look something like https://<your-company>.1password.com
  2. Navigate to Developer tools > Directory > Service Account.
  3. Set up a service account by giving it a name (e.g. kamal-deployment) and granting it access.

After you're done, you should see an access token that we will later use. Copy over the value before you close the window.

Setting up Github Actions

Firstly, you should add your service account token to your repository secrets.

  1. Go to Repository > Settings > Secrets and variables > Actions > New repository secret.
  2. Set the secret name as OP_SERVICE_ACCOUNT_TOKEN
  3. Paste in the service account token as the secret value.

After you're done, go ahead and tweak your GitHub Actions workflow to include these steps.

#.github/workflows/ci.yml
- name: Install 1Password CLI
  uses: 1password/install-cli-action@v1

- name: Deploy
  id: kamal-deploy
  env:
    OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
    VERSION: ${{ github.sha }}
  uses: nick-fields/retry@v3
    with:
      timeout_minutes: 10
      max_attempts: 3
      retry_on: error
      command: bundle exec kamal deploy --version=$VERSION

That's it! You should now be able to deploy your application, and it will fetch the credentials from 1Password on the go.

Wrapping up

Hopefully this was helpful to you. Here at Primevise, we manage numerous applications for both our clients and our own products. The introduction of 1Password has streamlined our deployment process while keeping everything nice and tidy.

We love big ideas and ambitious people

Reach out to us and let's build something great together

Schedule an exploration call