helmfile · vlsi · Mar 12, 2026 · Mar 12, 2026 · Mar 12, 2026 · Mar 13, 2026
@@ -16,5 +16,7 @@ jobs:
       with:
         go-version-file: 'go.mod'
         cache: true
-    - name: build 
-      run: make build
+    - name: build
+      run: make build
+    - name: build (minimal, without optional providers)
+      run: go build -tags custom_providers -o /dev/null ./cmd/vals
@@ -5,3 +5,5 @@ dist/
 cover.out
 vals
 .vscode
+.codex-review/
+vals-all
@@ -37,6 +37,7 @@ It supports various backends including:
 ToC:
 
 - [Installation](#installation)
+  - [Building from source](#building-from-source)
 - [Usage](#usage)
   - [CLI](#cli)
   - [Helm](#helm)
@@ -88,6 +89,29 @@ nix profile install nixpkgs#vals
 scoop install vals
 ```
 
+### Building from source
+
+```sh
+go build -o vals ./cmd/vals
+```
+
+#### Custom builds
+
+By default, all providers are compiled into the binary. If you only need specific providers, you can use Go build tags to produce a smaller binary:
+
+```sh
+# Only include Vault, AWS, GCP and Azure providers
+go build -tags "custom_providers,vault,aws,gcp,azure" -o vals ./cmd/vals
+```
+
+The `custom_providers` tag switches to opt-in mode. Without it, all providers are included. Add the tags for the providers you need:
+
+`vault`, `openbao`, `aws`, `gcp`, `azure`, `terraform`, `gitlab`, `sops`, `onepassword`, `doppler`, `k8s`, `hcpvaultsecrets`, `conjur`, `bitwarden`, `scaleway`, `infisical`, `oci`, `httpjson`, `pulumi`, `secretserver`, `servercore`, `keychain`, `yandex`
+
+Utility providers (`echo`, `file`, `envsubst`, `exec`) are always included.
+
+Use `all_providers` to explicitly include everything: `go build -tags all_providers`.
+
 ## Usage
 
 - [CLI](#cli)

@@ -0,0 +1,49 @@
+package registry
+
+import (
+	"github.com/helmfile/vals/pkg/api"
+	"github.com/helmfile/vals/pkg/config"
+	"github.com/helmfile/vals/pkg/log"
+)
+
+// ProviderFactory creates a provider for use in vals.go createProvider.
+type ProviderFactory func(l *log.Logger, conf config.MapConfig, awsLogLevel string) (api.Provider, error)
+
+// StringProviderFactory creates a string provider for use in stringprovider.New.
+type StringProviderFactory func(l *log.Logger, provider api.StaticConfig, awsLogLevel string) (api.LazyLoadedStringProvider, error)
+
+// StringMapProviderFactory creates a string-map provider for use in stringmapprovider.New.
+type StringMapProviderFactory func(l *log.Logger, provider api.StaticConfig, awsLogLevel string) (api.LazyLoadedStringMapProvider, error)
+
+var (
+	providers          = map[string]ProviderFactory{}
+	stringProviders    = map[string]StringProviderFactory{}
+	stringMapProviders = map[string]StringMapProviderFactory{}
+)
+
+func RegisterProvider(scheme string, f ProviderFactory) {
+	providers[scheme] = f
+}
+
+func GetProvider(scheme string) (ProviderFactory, bool) {
+	f, ok := providers[scheme]
+	return f, ok
+}
+
+func RegisterStringProvider(name string, f StringProviderFactory) {
+	stringProviders[name] = f
+}
+
+func GetStringProvider(name string) (StringProviderFactory, bool) {
+	f, ok := stringProviders[name]
+	return f, ok
+}
+
+func RegisterStringMapProvider(name string, f StringMapProviderFactory) {
+	stringMapProviders[name] = f
+}
+
+func GetStringMapProvider(name string) (StringMapProviderFactory, bool) {
+	f, ok := stringMapProviders[name]
+	return f, ok
+}
@@ -0,0 +1,28 @@
+//go:build aws || all_providers || !custom_providers
+
+package stringmapprovider
+
+import (
+	"github.com/helmfile/vals/pkg/api"
+	"github.com/helmfile/vals/pkg/log"
+	"github.com/helmfile/vals/pkg/providers/awskms"
+	"github.com/helmfile/vals/pkg/providers/awssecrets"
+	"github.com/helmfile/vals/pkg/providers/registry"
+	"github.com/helmfile/vals/pkg/providers/s3"
+	"github.com/helmfile/vals/pkg/providers/ssm"
+)
+
+func init() {
+	registry.RegisterStringMapProvider("s3", func(l *log.Logger, provider api.StaticConfig, awsLogLevel string) (api.LazyLoadedStringMapProvider, error) {
+		return s3.New(l, provider, awsLogLevel), nil
+	})
+	registry.RegisterStringMapProvider("ssm", func(l *log.Logger, provider api.StaticConfig, awsLogLevel string) (api.LazyLoadedStringMapProvider, error) {
+		return ssm.New(l, provider, awsLogLevel), nil
+	})
+	registry.RegisterStringMapProvider("awssecrets", func(l *log.Logger, provider api.StaticConfig, awsLogLevel string) (api.LazyLoadedStringMapProvider, error) {
+		return awssecrets.New(l, provider, awsLogLevel), nil
+	})
+	registry.RegisterStringMapProvider("awskms", func(_ *log.Logger, provider api.StaticConfig, awsLogLevel string) (api.LazyLoadedStringMapProvider, error) {
+		return awskms.New(provider, awsLogLevel), nil
+	})
+}
@@ -0,0 +1,16 @@
+//go:build azure || all_providers || !custom_providers
+
+package stringmapprovider
+
+import (
+	"github.com/helmfile/vals/pkg/api"
+	"github.com/helmfile/vals/pkg/log"
+	"github.com/helmfile/vals/pkg/providers/azurekeyvault"
+	"github.com/helmfile/vals/pkg/providers/registry"
+)
+
+func init() {
+	registry.RegisterStringMapProvider("azurekeyvault", func(_ *log.Logger, provider api.StaticConfig, _ string) (api.LazyLoadedStringMapProvider, error) {
+		return azurekeyvault.New(provider), nil
+	})
+}
@@ -0,0 +1,16 @@
+//go:build doppler || all_providers || !custom_providers
+
+package stringmapprovider
+
+import (
+	"github.com/helmfile/vals/pkg/api"
+	"github.com/helmfile/vals/pkg/log"
+	"github.com/helmfile/vals/pkg/providers/doppler"
+	"github.com/helmfile/vals/pkg/providers/registry"
+)
+
+func init() {
+	registry.RegisterStringMapProvider("doppler", func(l *log.Logger, provider api.StaticConfig, _ string) (api.LazyLoadedStringMapProvider, error) {
+		return doppler.New(l, provider), nil
+	})
+}
@@ -0,0 +1,20 @@
+//go:build gcp || all_providers || !custom_providers
+
+package stringmapprovider
+
+import (
+	"github.com/helmfile/vals/pkg/api"
+	"github.com/helmfile/vals/pkg/log"
+	"github.com/helmfile/vals/pkg/providers/gcpsecrets"
+	"github.com/helmfile/vals/pkg/providers/gkms"
+	"github.com/helmfile/vals/pkg/providers/registry"
+)
+
+func init() {
+	registry.RegisterStringMapProvider("gcpsecrets", func(_ *log.Logger, provider api.StaticConfig, _ string) (api.LazyLoadedStringMapProvider, error) {
+		return gcpsecrets.New(provider), nil
+	})
+	registry.RegisterStringMapProvider("gkms", func(l *log.Logger, provider api.StaticConfig, _ string) (api.LazyLoadedStringMapProvider, error) {
+		return gkms.New(l, provider), nil
+	})
+}
@@ -0,0 +1,16 @@
+//go:build httpjson || all_providers || !custom_providers
+
+package stringmapprovider
+
+import (
+	"github.com/helmfile/vals/pkg/api"
+	"github.com/helmfile/vals/pkg/log"
+	"github.com/helmfile/vals/pkg/providers/httpjson"
+	"github.com/helmfile/vals/pkg/providers/registry"
+)
+
+func init() {
+	registry.RegisterStringMapProvider("httpjson", func(l *log.Logger, provider api.StaticConfig, _ string) (api.LazyLoadedStringMapProvider, error) {
+		return httpjson.New(l, provider), nil
+	})
+}
@@ -0,0 +1,16 @@
+//go:build infisical || all_providers || !custom_providers
+
+package stringmapprovider
+
+import (
+	"github.com/helmfile/vals/pkg/api"
+	"github.com/helmfile/vals/pkg/log"
+	"github.com/helmfile/vals/pkg/providers/infisical"
+	"github.com/helmfile/vals/pkg/providers/registry"
+)
+
+func init() {
+	registry.RegisterStringMapProvider("infisical", func(l *log.Logger, provider api.StaticConfig, _ string) (api.LazyLoadedStringMapProvider, error) {
+		return infisical.New(l, provider), nil
+	})
+}
@@ -0,0 +1,16 @@
+//go:build k8s || all_providers || !custom_providers
+
+package stringmapprovider
+
+import (
+	"github.com/helmfile/vals/pkg/api"
+	"github.com/helmfile/vals/pkg/log"
+	"github.com/helmfile/vals/pkg/providers/k8s"
+	"github.com/helmfile/vals/pkg/providers/registry"
+)
+
+func init() {
+	registry.RegisterStringMapProvider("k8s", func(l *log.Logger, provider api.StaticConfig, _ string) (api.LazyLoadedStringMapProvider, error) {
+		return k8s.New(l, provider)
+	})
+}
@@ -0,0 +1,16 @@
+//go:build onepassword || all_providers || !custom_providers
+
+package stringmapprovider
+
+import (
+	"github.com/helmfile/vals/pkg/api"
+	"github.com/helmfile/vals/pkg/log"
+	"github.com/helmfile/vals/pkg/providers/onepasswordconnect"
+	"github.com/helmfile/vals/pkg/providers/registry"
+)
+
+func init() {
+	registry.RegisterStringMapProvider("onepasswordconnect", func(_ *log.Logger, provider api.StaticConfig, _ string) (api.LazyLoadedStringMapProvider, error) {
+		return onepasswordconnect.New(provider), nil
+	})
+}
@@ -0,0 +1,16 @@
+//go:build scaleway || all_providers || !custom_providers
+
+package stringmapprovider
+
+import (
+	"github.com/helmfile/vals/pkg/api"
+	"github.com/helmfile/vals/pkg/log"
+	"github.com/helmfile/vals/pkg/providers/registry"
+	"github.com/helmfile/vals/pkg/providers/scaleway"
+)
+
+func init() {
+	registry.RegisterStringMapProvider("scaleway", func(l *log.Logger, provider api.StaticConfig, _ string) (api.LazyLoadedStringMapProvider, error) {
+		return scaleway.New(l, provider), nil
+	})
+}
@@ -0,0 +1,16 @@
+//go:build sops || all_providers || !custom_providers
+
+package stringmapprovider
+
+import (
+	"github.com/helmfile/vals/pkg/api"
+	"github.com/helmfile/vals/pkg/log"
+	"github.com/helmfile/vals/pkg/providers/registry"
+	"github.com/helmfile/vals/pkg/providers/sops"
+)
+
+func init() {
+	registry.RegisterStringMapProvider("sops", func(l *log.Logger, provider api.StaticConfig, awsLogLevel string) (api.LazyLoadedStringMapProvider, error) {
+		return sops.New(l, provider, awsLogLevel), nil
+	})
+}
@@ -0,0 +1,16 @@
+//go:build vault || all_providers || !custom_providers
+
+package stringmapprovider
+
+import (
+	"github.com/helmfile/vals/pkg/api"
+	"github.com/helmfile/vals/pkg/log"
+	"github.com/helmfile/vals/pkg/providers/registry"
+	"github.com/helmfile/vals/pkg/providers/vault"
+)
+
+func init() {
+	registry.RegisterStringMapProvider("vault", func(l *log.Logger, provider api.StaticConfig, _ string) (api.LazyLoadedStringMapProvider, error) {
+		return vault.New(l, provider), nil
+	})
+}
@@ -5,59 +5,20 @@ import (
 
 	"github.com/helmfile/vals/pkg/api"
 	"github.com/helmfile/vals/pkg/log"
-	"github.com/helmfile/vals/pkg/providers/awskms"
-	"github.com/helmfile/vals/pkg/providers/awssecrets"
-	"github.com/helmfile/vals/pkg/providers/azurekeyvault"
-	"github.com/helmfile/vals/pkg/providers/doppler"
 	execprovider "github.com/helmfile/vals/pkg/providers/exec"
-	"github.com/helmfile/vals/pkg/providers/gcpsecrets"
-	"github.com/helmfile/vals/pkg/providers/gkms"
-	"github.com/helmfile/vals/pkg/providers/httpjson"
-	"github.com/helmfile/vals/pkg/providers/infisical"
-	"github.com/helmfile/vals/pkg/providers/k8s"
-	"github.com/helmfile/vals/pkg/providers/onepasswordconnect"
-	"github.com/helmfile/vals/pkg/providers/scaleway"
-	"github.com/helmfile/vals/pkg/providers/sops"
-	"github.com/helmfile/vals/pkg/providers/ssm"
-	"github.com/helmfile/vals/pkg/providers/vault"
+	"github.com/helmfile/vals/pkg/providers/registry"
 )
 
 func New(l *log.Logger, provider api.StaticConfig, awsLogLevel string) (api.LazyLoadedStringMapProvider, error) {
 	tpe := provider.String("name")
 
 	switch tpe {
-	case "s3":
-		return ssm.New(l, provider, awsLogLevel), nil
-	case "ssm":
-		return ssm.New(l, provider, awsLogLevel), nil
-	case "vault":
-		return vault.New(l, provider), nil
-	case "awssecrets":
-		return awssecrets.New(l, provider, awsLogLevel), nil
-	case "sops":
-		return sops.New(l, provider, awsLogLevel), nil
-	case "gcpsecrets":
-		return gcpsecrets.New(provider), nil
-	case "azurekeyvault":
-		return azurekeyvault.New(provider), nil
-	case "awskms":
-		return awskms.New(provider, awsLogLevel), nil
-	case "onepasswordconnect":
-		return onepasswordconnect.New(provider), nil
-	case "doppler":
-		return doppler.New(l, provider), nil
-	case "gkms":
-		return gkms.New(l, provider), nil
-	case "k8s":
-		return k8s.New(l, provider)
-	case "httpjson":
-		return httpjson.New(l, provider), nil
-	case "scaleway":
-		return scaleway.New(l, provider), nil
-	case "infisical":
-		return infisical.New(l, provider), nil
 	case "exec":
 		return execprovider.New(l, provider), nil
+	default:
+		if factory, ok := registry.GetStringMapProvider(tpe); ok {
+			return factory(l, provider, awsLogLevel)
+		}
 	}
 
 	return nil, fmt.Errorf("failed initializing string-map provider from config: %v", provider)