This document provides example code snippets for deploying code using the ipb CLI in various CI/CD pipelines.
The ipb deploy command deploys JavaScript code to programmable cards. In CI/CD environments, you'll need to:
- Provide credentials via environment variables or command-line options
- Use the
--yesflag to skip confirmation prompts (required in non-interactive environments) - Specify the card key and code file to deploy
ipb deploy --filename main.js --card-key card-123 --yesname: Deploy to Card
on:
push:
branches:
- main
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '24'
- name: Install ipb CLI
run: npm install -g investec-ipb
- name: Deploy code
env:
INVESTEC_CLIENT_ID: ${{ secrets.INVESTEC_CLIENT_ID }}
INVESTEC_CLIENT_SECRET: ${{ secrets.INVESTEC_CLIENT_SECRET }}
INVESTEC_API_KEY: ${{ secrets.INVESTEC_API_KEY }}
INVESTEC_CARD_KEY: ${{ secrets.INVESTEC_CARD_KEY }}
run: |
ipb deploy \
--filename src/main.js \
--card-key ${{ secrets.INVESTEC_CARD_KEY }} \
--env production \
--yes \
--verbosestages:
- deploy
deploy_to_card:
stage: deploy
image: node:20
before_script:
- npm install -g investec-ipb
script:
- |
ipb deploy \
--filename src/main.js \
--card-key $INVESTEC_CARD_KEY \
--env production \
--yes \
--verbose
variables:
INVESTEC_HOST: "https://openapi.investec.com"
only:
- mainpipeline {
agent any
environment {
INVESTEC_CLIENT_ID = credentials('investec-client-id')
INVESTEC_CLIENT_SECRET = credentials('investec-client-secret')
INVESTEC_API_KEY = credentials('investec-api-key')
INVESTEC_CARD_KEY = credentials('investec-card-key')
}
stages {
stage('Deploy') {
steps {
sh '''
npm install -g investec-ipb
ipb deploy \
--filename src/main.js \
--card-key ${INVESTEC_CARD_KEY} \
--env production \
--yes \
--verbose
'''
}
}
}
}Instead of environment variables, you can pre-configure profiles and use them in your pipeline:
# Pre-configure profile (run once on CI server or in setup step)
ipb config \
--profile production \
--client-id $INVESTEC_CLIENT_ID \
--client-secret $INVESTEC_CLIENT_SECRET \
--api-key $INVESTEC_API_KEY
# Deploy using profile
ipb deploy \
--profile production \
--filename src/main.js \
--card-key card-123 \
--yesYou can also pass credentials directly via command-line options (less secure for CI/CD):
ipb deploy \
--filename src/main.js \
--card-key card-123 \
--client-id $INVESTEC_CLIENT_ID \
--client-secret $INVESTEC_CLIENT_SECRET \
--api-key $INVESTEC_API_KEY \
--env production \
--yesThe CLI supports the following environment variables for credentials:
INVESTEC_HOST- API host URL (default:https://openapi.investec.com)INVESTEC_CLIENT_ID- OAuth client IDINVESTEC_CLIENT_SECRET- OAuth client secretINVESTEC_API_KEY- API keyINVESTEC_CARD_KEY- Card identifier (can also be passed via--card-key)
The --env option loads environment variables from a .env.<env> file:
# Deploy with environment variables from .env.production
ipb deploy \
--filename src/main.js \
--card-key card-123 \
--env production \
--yesThis will:
- Read variables from
.env.production - Upload them to the card
- Upload and publish the code
name: Deploy
on:
push:
branches:
- main
- staging
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '24'
- name: Install ipb CLI
run: npm install -g investec-ipb
- name: Determine environment
id: env
run: |
if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
echo "env=production" >> $GITHUB_OUTPUT
echo "card_key=${{ secrets.PROD_CARD_KEY }}" >> $GITHUB_OUTPUT
else
echo "env=staging" >> $GITHUB_OUTPUT
echo "card_key=${{ secrets.STAGING_CARD_KEY }}" >> $GITHUB_OUTPUT
fi
- name: Deploy to environment
env:
INVESTEC_CLIENT_ID: ${{ secrets.INVESTEC_CLIENT_ID }}
INVESTEC_CLIENT_SECRET: ${{ secrets.INVESTEC_CLIENT_SECRET }}
INVESTEC_API_KEY: ${{ secrets.INVESTEC_API_KEY }}
run: |
ipb deploy \
--filename src/main.js \
--card-key ${{ steps.env.outputs.card_key }} \
--env ${{ steps.env.outputs.env }} \
--yes \
--verbose-
Use Secrets Management: Store credentials in your CI/CD platform's secrets management system (GitHub Secrets, GitLab CI Variables, etc.)
-
Avoid Hardcoding: Never commit credentials to your repository
-
Use Profiles: Consider using profiles for better organization (though they require file system access)
-
Environment Variables: The CLI automatically detects CI/CD environments and will warn about secrets in environment variables, but they're still supported for pipelines
-
Least Privilege: Use separate credentials for different environments (staging, production)
- Solution: Add the
--yesflag to skip confirmation prompts in non-interactive environments
- Solution: Ensure all required environment variables are set:
INVESTEC_CLIENT_IDINVESTEC_CLIENT_SECRETINVESTEC_API_KEYINVESTEC_CARD_KEY(or pass via--card-key)
- Solution: Add
--verboseflag or setDEBUG=1environment variable
- Solution: The CLI automatically retries on rate limit errors with exponential backoff. Use
--verboseto see retry attempts.
You can also create a deploy script for easier reuse:
#!/bin/bash
# deploy.sh
set -e
# Load environment variables
source .env.production
# Deploy code
ipb deploy \
--filename src/main.js \
--card-key "${INVESTEC_CARD_KEY}" \
--env production \
--yes \
--verbose
echo "Deployment successful!"Make it executable and run:
chmod +x deploy.sh
./deploy.sh