Motivation
home/.chezmoi.toml.tmpl calls onepasswordRead unconditionally for identity values (email, name, GitHub user) and the hishtory server. This means the source state cannot even be rendered without the op CLI installed and an unlocked vault.
For normal operation this is the desired behavior: if 1Password is not available, chezmoi should fail loudly, not silently degrade. That stays.
But it makes it impossible to exercise the templates in any environment without vault access — most notably CI. A bypass mode would unlock:
- Template-render smoke tests in GitHub Actions (catch broken templates before they hit a real machine)
- Potentially a full
chezmoi init --apply end-to-end test on fresh macOS/Linux runners
- Local experimentation without touching the vault
Proposal
- Every secret-backed value gets an inline default defined next to its
onepasswordRead call (placeholder values like test@example.invalid, testuser, etc.).
- A single control variable (e.g. env var
DOTFILES_FAKE_SECRETS=1) forces the defaults: 1Password is bypassed entirely — op is never invoked, not even attempted.
- Without the variable, behavior is unchanged:
op missing/locked → hard failure.
Explicitly not a fallback-on-error mechanism: defaults are only used when explicitly requested. Silent fallback would mask real vault problems on real machines.
Things to investigate
- Best way to express per-call defaults in chezmoi templating: a helper template / wrapper around
onepasswordRead that takes (path, default) and checks the env var, vs. a dict of defaults defined once at the top of .chezmoi.toml.tmpl.
- Whether the
.install-one-password.sh pre-hook (hooks.read-source-state.pre) should also respect the bypass variable and skip installing op.
- Whether
run_onchange_after_keychain-anthropic.sh.tmpl or other scripts that read secrets need the same treatment for a full CI apply to work.
Non-goals
- Changing normal-operation behavior (hard failure without 1Password stays)
- Any kind of automatic/implicit fallback
Motivation
home/.chezmoi.toml.tmplcallsonepasswordReadunconditionally for identity values (email, name, GitHub user) and the hishtory server. This means the source state cannot even be rendered without theopCLI installed and an unlocked vault.For normal operation this is the desired behavior: if 1Password is not available,
chezmoishould fail loudly, not silently degrade. That stays.But it makes it impossible to exercise the templates in any environment without vault access — most notably CI. A bypass mode would unlock:
chezmoi init --applyend-to-end test on fresh macOS/Linux runnersProposal
onepasswordReadcall (placeholder values liketest@example.invalid,testuser, etc.).DOTFILES_FAKE_SECRETS=1) forces the defaults: 1Password is bypassed entirely —opis never invoked, not even attempted.opmissing/locked → hard failure.Explicitly not a fallback-on-error mechanism: defaults are only used when explicitly requested. Silent fallback would mask real vault problems on real machines.
Things to investigate
onepasswordReadthat takes(path, default)and checks the env var, vs. a dict of defaults defined once at the top of.chezmoi.toml.tmpl..install-one-password.shpre-hook (hooks.read-source-state.pre) should also respect the bypass variable and skip installingop.run_onchange_after_keychain-anthropic.sh.tmplor other scripts that read secrets need the same treatment for a full CI apply to work.Non-goals