Raycynix.Extensions.Secrets
1.1.0
dotnet add package Raycynix.Extensions.Secrets --version 1.1.0
NuGet\Install-Package Raycynix.Extensions.Secrets -Version 1.1.0
<PackageReference Include="Raycynix.Extensions.Secrets" Version="1.1.0" />
<PackageVersion Include="Raycynix.Extensions.Secrets" Version="1.1.0" />
<PackageReference Include="Raycynix.Extensions.Secrets" />
paket add Raycynix.Extensions.Secrets --version 1.1.0
#r "nuget: Raycynix.Extensions.Secrets, 1.1.0"
#:package Raycynix.Extensions.Secrets@1.1.0
#addin nuget:?package=Raycynix.Extensions.Secrets&version=1.1.0
#tool nuget:?package=Raycynix.Extensions.Secrets&version=1.1.0
Raycynix.Extensions.Secrets
Raycynix.Extensions.Secrets provides a unified secret-resolution layer for Raycynix applications.
It allows application code to ask for secrets through ISecretResolver while the actual values can come from the standard configuration pipeline or environment-specific fallback providers.
What it contains
AddRaycynixSecrets(...)SecretOptionsISecretProviderregistrationsISecretResolverISecretDiagnosticsResolverGetRequiredSecretAsync(...)ResolveWithSourceAsync(...)ExplainSecretResolutionAsync(...)- configuration, environment, GitHub Actions, and TeamCity-style secret providers
What it does not contain
- cloud-specific secret storage integrations
- UI or interactive secret management
- a custom secret file format
Why use it
IConfiguration is still the place where configuration is assembled, but Raycynix.Extensions.Secrets gives applications a separate API for secret access.
That separation is useful when you want to:
- consume secrets through a dedicated abstraction instead of injecting raw
IConfiguration - support multiple secret sources without changing application code
- keep CI/CD-oriented environment variable resolution as a fallback when configuration does not contain a value
Usage
var builder = Host.CreateApplicationBuilder(args);
builder.Configuration.UseRaycynixConfigurationSources(options =>
{
options.BaseFileName = "appsettings";
options.EnvironmentName = builder.Environment.EnvironmentName;
options.IncludeUserSecrets = builder.Environment.IsDevelopment();
});
builder.Services.AddRaycynixSecrets();
public sealed class GitHubTokenLoader(ISecretResolver secrets)
{
public async Task<string?> LoadAsync(CancellationToken cancellationToken)
{
return await secrets.GetSecretAsync("GitHub:Token", cancellationToken);
}
}
See the runnable example in examples/Raycynix.Extensions.Secrets.Example/Program.cs for a complete walkthrough of:
- default provider precedence
- custom provider precedence through
SecretOptions - required-secret resolution
- provider-aware resolution results
- explain output that shows the evaluated provider chain
The package resolves secrets through a provider chain and returns the first available value.
By default, the provider chain checks sources in this order:
IConfiguration- exact environment variable key
- GitHub Actions-style normalized environment variable
- TeamCity-style normalized environment variable
This allows applications to keep using the standard configuration pipeline, including .NET User Secrets, while still consuming secrets through a dedicated ISecretResolver.
You can customize the provider order when the default precedence is not appropriate:
builder.Services.AddRaycynixSecrets(options =>
{
options.ProviderOrder.Clear();
options.ProviderOrder.Add(typeof(GitHubSecretProvider));
options.ProviderOrder.Add(typeof(ConfigurationSecretProvider));
options.ProviderOrder.Add(typeof(EnvironmentSecretProvider));
options.ProviderOrder.Add(typeof(TeamCitySecretProvider));
});
Providers not listed in SecretOptions.ProviderOrder are still evaluated afterward in their registration order.
Examples:
ConnectionStrings:Maincan be resolved fromIConfiguration["ConnectionStrings:Main"]- or from the exact environment variable
ConnectionStrings:Main - or from
CONNECTIONSTRINGS_MAINin GitHub Actions-style environments - or from
env.ConnectionStrings.Mainin TeamCity-style environments
You can also use the convenience APIs for required secrets and diagnostics:
var token = await secrets.GetRequiredSecretAsync("Api:Token", cancellationToken);
var resolved = await secrets.ResolveWithSourceAsync("ConnectionStrings:Main", cancellationToken);
Console.WriteLine(resolved.ProviderName);
var attempts = await secrets.ExplainSecretResolutionAsync("ConnectionStrings:Main", cancellationToken);
foreach (var attempt in attempts)
{
Console.WriteLine($"{attempt.ProviderName}: {attempt.Succeeded}");
}
Typical output looks like this:
Default provider order
Configuration -> Environment -> GitHub -> TeamCity
GetSecretAsync: Server=config;Database=main;
ResolveWithSourceAsync.ProviderName: ConfigurationSecretProvider
GetRequiredSecretAsync(Api:Token): config-token
ExplainSecretResolutionAsync:
- ConfigurationSecretProvider: True
Custom provider order
GitHub -> Configuration -> Environment -> TeamCity
ResolveWithSourceAsync.Value: Server=github;Database=main;
ResolveWithSourceAsync.ProviderName: GitHubSecretProvider
ExplainSecretResolutionAsync:
- GitHubSecretProvider: True
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net10.0 is compatible. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed. |
-
net10.0
- Microsoft.Extensions.Configuration.Abstractions (>= 10.0.6)
- Microsoft.Extensions.DependencyInjection.Abstractions (>= 10.0.6)
- Microsoft.Extensions.Options (>= 10.0.6)
- Raycynix.Extensions.Security.Abstractions (>= 1.1.0)
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.
Added configuration-backed secret resolution, configurable provider ordering through SecretOptions, and provider-aware diagnostics APIs including required-secret resolution and explain output.