Developer
1Password in the shell
I’ve been digging into 1Password’s command-line client, op, lately. Back in the day, I’d have private shell configuration files where I’d export API tokens or export tokens into my shell as needed. This wasn’t a great situation. First, it was a security risk — if someone got access to my Macs or malicious code started scanning my environment. Second, it created security token management and provenance issues.
But now, by prefixing my shell commands with op run, I can run those commands with exactly the credentials that they need, with credentials that are stored and managed in 1Password.
Securing access for GitHub MCP
Today, I was trying out the GitHub MCP server in VS Code. The server needs a GitHub Personal Access Token, which is added to the server’s container through an environment variable. This is my VS Code configuration that sources the Personal Access Token through a field called GitHub MCP in my GitHub item in 1Password:
"mcp": {
"servers": {
"github": {
"command": "op",
"args": [
"--account",
"my.1password.com",
"run",
"--",
"docker",
"run",
"-i",
"--rm",
"-e",
"GITHUB_PERSONAL_ACCESS_TOKEN",
"ghcr.io/github/github-mcp-server"
],
"env": {
"GITHUB_PERSONAL_ACCESS_TOKEN": "op://Private/GitHub/GitHub MCP"
}
}
}
}
Using .env files
In our software repos, I’ve also started leaving .env files referencing passwords in our team’s vaults. Here’s an example in our Kubernetes deployment repository. With those .env files, which are shareable on GitHub because they only reference secrets, we can now streamline commands that need secrets, like:
op run --env-file="op/idfprod.env" -- phalanx secrets audit idfprod
These sorts of .env files are also helpful for setting up local development servers to use real credentials, like for the Ook application. Now I can spin up an Ook service for local development using secrets like this:
op run --env-file="./square.env" -- nox -s run
1Password is still worth it for me
For over a year, there’s been a lot of talk in the Apple community about dropping 1Password in favour of Keychain, especially now that Apple has spun it out into its own app. And for a lot of people, that’s probably the best choice. However, for a developer, 1Password’s CLI can make life much easier and more secure. Besides secret insertion in the environment, I also use 1Password’s SSH agent for things like signing my Git commits and authenticating with GitHub.
I’m not a vibe coder, but LLMs absolutely have changed my work for the better. Like yesterday I pointed Copilot/Claude 3.7 at my app’s SQLAlchemy models and asked for a Mermaid.js diagram I could drop into my technote. Absolute magic.
I started kicking the tires on Hatch for a new personal Python project over the weekend. Not only does it supplant setuptools, but it also builds in tox-like functionality for running commands in virtual environments.
This is what a snow day looks like if you’re a developer.
tree.nathanfriend.io is a little website/app that generates an ASCII file tree from indented text (like a mock of the tree CLI). I make these diagrams all the time for docs, and this tool will speed that up a bunch. Via Chris Coyier.
A consistent problem I have with my development workflow is knowing that I did something before, but not exactly where. What repo did I do that in? What GitHub org even? Perhaps the answer is “Zettelkasten” but where do I find the time for that?
Between going 100% indie with my software company, my MacBook Pro 2019’s fan’s screaming incessantly, and Apple dropping the M2 Mac Studio, it looks like I’m in the computer market again. Oh, and Chris Lawley says they fixed the fan noise. The question is, what spec?
GitHub is killing it with the new new code view and search. The confluence of GitHub and VS Code is amazing. Colour me surprised, but Microsoft buying GitHub was such a good thing.
I finally used Python’s Walrus := operator to clean up a hacky situation. Maybe I could be more proactively finding uses, but it was fun to have an obvious one appear finally!
