OnePub makes it easy to integrate into your CI/CD framework without having to modify your pubspec.yaml.
You will want deployed as part of your CI/CD infrastructure so that your CI/CD environment can access your private packages hosted on during the build and deployment actions.
To do this you need to use the onepub CLI tool to export and then import a OnePub Token.
Depending on your CI/CD environment you will use one of two methods:
  • copy the OnePub Token file into your CI/CD environment
  • add your OnePub Token as a secret using the likes of github secrets
The process can be summarised as:
  • login to onepub on your PC
  • export your OnePub Token from your PC (onepub export
  • add the OnePub Token to your CI/CD environment
  • install onepub as part of your CI/CD action
  • import your OnePub Token into onepub (onepub import)
  • build your package/app.


A OnePub Administrator can export any other Member's OnePub Token. A OnePub Team Leader can export any of their team's OnePub Tokens.
Within OnePub, a OnePub Token is always tied to a member and that member's permissions.
When deploying a OnePub Token to your CI/CD environment you need to ensure that the member associated with the OnePub Token has sufficient permissions for the actions the CI/CD will take.

Use a dedicated CI/CD account

Whilst you can use any Member account in your CI/CD environment we recommend you created a dedicated CI/CD account.
There are several advantages to using a dedicated CI/CD account.
We recommend that you create a specific OnePub member for use in your CI/CD environment to reduce the risk of breaking your CI/CD environment if a regular member's permissions change.


1) a member logout can break your CI/CD environment.
The onepub logout logs a user out of ALL of their devices including the CI/CD environment.
This means that if the owner of the shared account logs out of their onepub account then they will inadvertently invalidate the OnePub token used by the CI/CD environment.
2) The CI/CD environment permissions will be affected by any permission changes to the member. This can result in the CI/CD environment being given too many permissions or too few.


The only disadvantage is that using a separate CI/CD member does mean that you need to purchase an additional OnePub license.


If your CI/CD environment is going to publish a package into OnePub then the owner of the OnePub Token must be an owner of that package.


If the package you are building has a dependency (or a transitive dependency) on one of your private packages then the owner of the OnePub Token must belong to a team(s) that is associated with each of the dependant packages.
If you are on the Free or Pro subscription tier there is only one (implicit) Team and every member belongs to that team. With the Free tier every member is an Administrator.
Some CI/CD environments allow you to create a secret that is available as an environment variable when you run your CI/CD.
We recommend this approach over adding a token file to your environment as it provides greater security for your OnePub Token.
Github secrets are an example of this.
Start by logging into onepub on your local PC.
onepub login
Now export the token:
onepub export
If you have a dedicated CI/CD OnePub member (recommended) then you should instead export that user's token.
Note: you need to be an Administrator or Team Leader of the member to export a CI/CD member's token.
onepub export --user [email protected]
The export command prints the secret (onepub token) to your console.
Add the secret to your CI/CD environment's list of secrets using the environment variable name:
Within your CI/CD action add:
dart pub global activate onepub
onepub import
The onepub import command takes the onepub token from the ONEPUB_TOKEN environment variable.
The dart pub command now has access to your repository and all packages that the CI/CD member has access to.

Place a token file in your CI/CD environment

OnePub does NOT recommend this method as it requires that you add your OnePub credentials to your source control system. However, if your CI/CD environment doesn't provide a method to store a token securely then this is the process you need to employ.
If you need a OnePub token for a local Docker test environment read our Docker page.
We strongly recommend that you use a dedicated CI/CD OnePub member account if you are deploying a token file, as a CI/CD account can be configured with the minimum permissions required for the CI/CD role.
From your desktop:
If you haven't already; start by logging in.
onepub login
To obtain and use the necessary secrets we use the --file variant of the onepub export/import process
onepub export --file
If you are using a dedicated CI/CD OnePub account then use:
onepub export --user [email protected] --file
The export process will create a onepub.token.yaml file in your current directory.
Copy the token file to your CI/CD environment
As part of your CI/CD action, you need to import the token
dart pub global activate onepub
onepub import --file <path to token yaml>
The dart pub command now has access to your repository.