Feature Description
Introduce a credentials section in the lola config file (~/.lola/config.yml, ./.lola/config.yml, or via $LOLA_CONFIG / --config) where users declare named credentials bound to specific hosts. Environment variables are resolved at runtime — lola never stores or logs credential values.
# ~/.lola/config.yml
credentials:
- name: company-gitlab
url: https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.company.com
- name: public-github
url: https://x-access-token:${GITHUB_TOKEN}@github.comLola matches credentials to .lola-req entries by hostname and injects auth automatically. .lola-req stays credential-free and safe to commit.
Problem or Use Case
When using lola sync with private repositories that require HTTP auth, lola prompts interactively or fails in CI pipelines. There is no way to provide tokens for HTTP-based sources. SSH already works — this is specifically about HTTP auth in CI and private hosting scenarios.
Proposed Solution
Named credentials in lola config bound to specific hosts. Tokens only flow to their declared host — no risk of exfiltration to other URLs. If a required env variable is unset, lola warns and skips that module without aborting the sync.
Alternatives Considered
Managing credentials directly in lola (too risky), or inline ${VAR} in .lola-req (out of scope — creates exfiltration risk if the file is tampered with).
Complexity Estimate
Complex
Feature Description
Introduce a
credentialssection in the lola config file (~/.lola/config.yml,./.lola/config.yml, or via$LOLA_CONFIG/--config) where users declare named credentials bound to specific hosts. Environment variables are resolved at runtime — lola never stores or logs credential values.Lola matches credentials to
.lola-reqentries by hostname and injects auth automatically..lola-reqstays credential-free and safe to commit.Problem or Use Case
When using
lola syncwith private repositories that require HTTP auth, lola prompts interactively or fails in CI pipelines. There is no way to provide tokens for HTTP-based sources. SSH already works — this is specifically about HTTP auth in CI and private hosting scenarios.Proposed Solution
Named credentials in lola config bound to specific hosts. Tokens only flow to their declared host — no risk of exfiltration to other URLs. If a required env variable is unset, lola warns and skips that module without aborting the sync.
Alternatives Considered
Managing credentials directly in lola (too risky), or inline
${VAR}in.lola-req(out of scope — creates exfiltration risk if the file is tampered with).Complexity Estimate
Complex