npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@zorb/secrets

v0.1.1

Published

Secret-loader actions for zorb workflows (set, load-env, load-dotenv, load-file)

Readme

@zorb/secrets

Secret-loader actions for zorb workflows. Each loader registers values into the run-scoped secret table via context.setSecret(name, value); once registered, a secret is referenceable as ${{ secrets.<name> }} in with: / env: and is automatically masked in subsequent step output.

Ships set, load-env, load-dotenv, and load-file. CLI- and SDK-wrapping loaders (load-1password, load-doppler, load-aws, load-vault, load-gcp, load-keychain) ship in follow-up releases.

Install

npm install @zorb/secrets
yarn add @zorb/secrets
pnpm add @zorb/secrets
bun add @zorb/secrets

Actions

@zorb/secrets/set

Register a literal name/value pair. Intended for tests and one-offs — real workflows should use a dedicated loader.

secrets:
  - uses: '@zorb/secrets/set'
    with:
      name: API_KEY
      value: super-secret

…or directly from the CLI:

zorb use @zorb/secrets/set --with name=API_KEY value=super-secret

| Input | Type | Required | Description | | ------- | ------ | -------- | ------------------------------- | | name | string | yes | Secret name | | value | string | yes | Secret value (registered as-is) |

@zorb/secrets/load-env

Promote selected process.env vars into the secret table so they get masked. Useful when CI already injects credentials as env vars.

secrets:
  - uses: '@zorb/secrets/load-env'
    with:
      keys: [STRIPE_KEY, DATABASE_URL]

…or directly from the CLI (single key — use the YAML form for multiple):

zorb use @zorb/secrets/load-env --with keys=STRIPE_KEY

| Input | Type | Required | Default | Description | | ---------- | ------------------ | -------- | ------- | ------------------------------------- | | keys | string | string[] | yes | — | Env var names to promote | | required | boolean | no | true | Error if any named env var is missing |

@zorb/secrets/load-dotenv

Load secrets from one or more .env files.

secrets:
  - uses: '@zorb/secrets/load-dotenv'
    with:
      path: [.env, .env.local]
      only: [API_KEY, DB_URL]

…or directly from the CLI (single path — use the YAML form for multiples):

zorb use @zorb/secrets/load-dotenv --with path=.env

| Input | Type | Required | Default | Description | | ---------- | ------------------ | -------- | ------- | ----------------------------------------------- | | path | string | string[] | no | .env | Path(s) resolved relative to the workflow's cwd | | only | string | string[] | no | — | Only register keys in this list | | except | string | string[] | no | — | Skip keys in this list | | required | boolean | no | true | Error if any listed file is missing |

Supported .env grammar: blank lines + # comments are skipped, export prefix is stripped, double-quoted values interpret \n \r \t \\ \" escapes, single-quoted values are literal, unquoted values are trimmed. Multi-line values and $VAR expansion are not supported — use load-file for richer formats.

@zorb/secrets/load-file

Load secrets from a structured JSON or YAML file. The top level must be a flat object of string/number/boolean values.

secrets:
  - uses: '@zorb/secrets/load-file'
    with:
      path: ./config/secrets.yml

…or directly from the CLI:

zorb use @zorb/secrets/load-file --with path=./config/secrets.yml

| Input | Type | Required | Default | Description | | -------- | ------------------ | -------- | ----------------------- | -------------------------------------------------------------------- | | path | string | yes | — | Path resolved relative to the workflow's cwd | | format | string | no | inferred from extension | json or yaml; needed when the extension isn't .json/.yml/.yaml | | only | string | string[] | no | — | Only register keys in this list | | except | string | string[] | no | — | Skip keys in this list |

Decryption (SOPS, age, gpg) is not yet supported — feed load-file already-decrypted plaintext. Decryptor support ships in a follow-up.

Composition

The runner enforces first-write-wins for the secret table. Layer loaders to model local-overrides-prod patterns:

secrets:
  - uses: '@zorb/secrets/load-dotenv' # developer's local .env (wins if present)
    with:
      path: .env.local
      required: false
  - uses: '@zorb/secrets/load-file' # shared team secrets
    with:
      path: ./config/secrets.yml