Loading...
Loading...
Rotate an API key or secret across all locations — local .env files, macOS Keychain, GCP Secret Manager, Kubernetes deployments, and Codemagic CI. Use when: 'rotate key', 'update key', 'key leaked', 'replace secret', 'new API key', 'update GEMINI key', 'rotate secret'.
npx skill4agent add basedhardware/omi rotate-key/rotate-key <KEY_NAME> <NEW_VALUE>/rotate-key GEMINI_API_KEY AIzaSyNewKeyHere123/rotate-key OPENAI_API_KEY sk-new-key-here# Search the entire repo for the key name (env var references)
grep -r "<KEY_NAME>" --include="*.env*" --include="*.yaml" --include="*.yml" --include="*.py" --include="*.swift" --include="*.rs" --include="*.mjs" --include="*.dart" .
# Search for the old value if known (hardcoded instances)
grep -r "<OLD_VALUE>" .# Check for existing entry (try common service name patterns)
security find-generic-password -s "<key-name-lowercase>" -w 2>/dev/null
# Update: delete old, add new
security delete-generic-password -s "<key-name-lowercase>" 2>/dev/null
security add-generic-password -s "<key-name-lowercase>" -a "<key-name-lowercase>" -w "<NEW_VALUE>"| Location | Purpose |
|---|---|
| Desktop app runtime |
| Desktop app bundled env |
| Desktop app dev env |
| Rust backend local |
| Dev build artifact |
| Beta build artifact |
| Python backend local |
| Flutter app |
| Flutter app dev |
# Update each file that contains the key
sed -i '' "s/<KEY_NAME>=.*/<KEY_NAME>=<NEW_VALUE>/" <file># Prod (based-hardware)
echo -n "<NEW_VALUE>" | gcloud secrets versions add <KEY_NAME> --data-file=- --project=based-hardware
# Dev (based-hardware-dev) — may need dev service account
echo -n "<NEW_VALUE>" | gcloud secrets versions add <KEY_NAME> --data-file=- --project=based-hardware-dev \
--account=local-development-joan@based-hardware-dev.iam.gserviceaccount.com
# Disable old versions to prevent use of leaked key
gcloud secrets versions list <KEY_NAME> --project=based-hardware --format="table(name,state)"
gcloud secrets versions disable <OLD_VERSION> --secret=<KEY_NAME> --project=based-hardware
gcloud secrets versions disable <OLD_VERSION> --secret=<KEY_NAME> --project=based-hardware-dev \
--account=local-development-joan@based-hardware-dev.iam.gserviceaccount.com# Check current value
gcloud run services describe <SERVICE_NAME> --project=based-hardware --region=us-central1 --format=json | \
python3 -c "import json,sys; [print(f\"{e['name']}: ...{e.get('value','')[-4:]}\") for e in json.load(sys.stdin)['spec']['template']['spec']['containers'][0].get('env',[]) if '<KEY_NAME>' in e.get('name','')]"
# Update — IMPORTANT: must specify --image with a valid tag, check available tags first
gcloud container images list-tags gcr.io/based-hardware/<SERVICE_NAME> --limit=5 --sort-by=~timestamp --format="table(tags,timestamp.datetime)"
gcloud run services update <SERVICE_NAME> --region=us-central1 --project=based-hardware \
--image=gcr.io/based-hardware/<SERVICE_NAME>:<VALID_TAG> \
--update-env-vars "<KEY_NAME>=<NEW_VALUE>"| Service | Region | Key(s) |
|---|---|---|
| us-central1 | |
# Check which deployments use the key
kubectl get deployments -n prod-omi-backend
# Restart relevant deployments (common ones that use env secrets)
kubectl rollout restart deployment/prod-omi-backend-listen -n prod-omi-backend
kubectl rollout restart deployment/desktop-backend -n prod-omi-backend
kubectl rollout restart deployment/prod-omi-pusher -n prod-omi-backend
# Add others as needed based on which services use the key66c95e6ec76853c447b8bcbbexport CODEMAGIC_API_TOKEN="$(grep CODEMAGIC_API_TOKEN ~/.zshrc | cut -d'"' -f2)"
curl -s -H "x-auth-token: $CODEMAGIC_API_TOKEN" \
"https://api.codemagic.io/apps/66c95e6ec76853c447b8bcbb" | \
python3 -c "
import json,sys
data = json.load(sys.stdin)['application']
for v in data.get('appEnvironmentVariables',{}).get('variables',[]):
if v.get('key') == '<KEY_NAME>':
print(f'Found: group={v[\"group\"]}, id={v[\"id\"]}, secure={v.get(\"secure\",False)}')
"https://codemagic.io/app/66c95e6ec76853c447b8bcbb/settingsapp_envOMI_DESKTOP_APP_ENVOMI_DESKTOP_APP_ENVdesktop_secretsdesktop/.env.app.app.env.app# 1. Verify desktop/.env.app has the new key value
grep "<KEY_NAME>" desktop/.env.app
# 2. Re-encode
base64 -i desktop/.env.app | tr -d '\n' > /tmp/omi_desktop_app_env_b64.txt
# 3. Update in Codemagic dashboard:
# - Environment variables tab
# - Delete old OMI_DESKTOP_APP_ENV (desktop_secrets group)
# - Add new: name=OMI_DESKTOP_APP_ENV, value=<contents of /tmp/omi_desktop_app_env_b64.txt>,
# group=desktop_secrets, Secret=checkeddesktop/.env.appOMI_API_URLDEEPGRAM_API_KEYGEMINI_API_KEYMIXPANEL_PROJECT_TOKENANTHROPIC_API_KEY# Keychain
security find-generic-password -s "<key-name-lowercase>" -w
# All .env files
grep "<KEY_NAME>" desktop/.env desktop/.env.app desktop/.env.app.dev desktop/Backend-Rust/.env backend/.env 2>/dev/null
# GCP Secret Manager
gcloud secrets versions list <KEY_NAME> --project=based-hardware --format="table(name,state)"
# Kubernetes rollout status
kubectl rollout status deployment/prod-omi-backend-listen -n prod-omi-backend --timeout=120sapp_envdesktop_secretsOMI_DESKTOP_APP_ENVgemini-api-keybased-hardwarebased-hardware-devdesktop-backendprod-omi-backend-listensecretKeyRefOMI_DESKTOP_APP_ENV.env.appapp_envapp_env