CI tokens

Ravenstash API tokens belong to a customer scope. A customer can be a personal account or a team.

Use team-scoped tokens for shared CI jobs so package automation does not depend on one developer account.

Recommended workflow

1. Create or choose the team that owns the repository.
2. Create a customer-scoped API token in that team context.
3. Store the token in the CI secret manager.
4. Inject the token as RAVENSTASH_TOKEN.
5. Use rvn pkg to install or publish.

Publish in CI

export RAVENSTASH_TOKEN="${RAVENSTASH_TOKEN_FROM_CI}"

# Publish directly — no native package manager invoked
rvn pkg publish --repo acme/python
rvn pkg publish --repo acme/frontend
rvn pkg publish --repo acme/jvm

Install in CI

export RAVENSTASH_TOKEN="${RAVENSTASH_TOKEN_FROM_CI}"

rvn pkg install internal-sdk --repo acme/python

For native package manager commands (when the pipeline already uses pip, npm, or mvn), use the rvn wrappers to avoid hardcoding registry URLs:

rvn pip install internal-sdk --repo acme/python
rvn npm install @acme/design-system --repo acme/frontend
rvn mvn install --repo acme/jvm

Rotation

Token secrets are shown once. Rotate a token by creating a replacement, updating CI secrets, validating a publish or install job, then revoking the old token.

Current status

Customer-scoped token creation, rotation, revocation, and deletion are implemented in the app. Fine-grained per-repository permissions beyond current customer/team-admin rules are future work.