envshed pull
Pull secrets from Envshed and write them to a local file.
Usage
envshed pull [-o <org>] [-p <project>] [-e <env>] [-f <path>] [--stdout] [--force] [--format <format>]
Options
| Flag | Description | Default |
|---|---|---|
-o, --org <slug> | Organization slug | From config |
-p, --project <slug> | Project slug | From config |
-e, --env <slug> | Environment slug | From config |
-f, --file <path> | Output file path | .env |
--stdout | Print to stdout instead of writing a file | |
--force | Overwrite without checking for changes | |
--format <format> | Output format: env or json | env |
Safe pull
By default, the CLI compares incoming secrets with the existing file and aborts if any values would be modified or deleted:
Pull aborted. The following changes were detected:
~ DATABASE_URL (modified)
- OLD_SECRET (deleted)
Run with --force to overwrite.
Use --force to skip this check.
Placeholder warnings
If any secrets are marked as placeholders and you haven't set a personal override, the CLI shows a warning with clickable links to set your override in the dashboard:
2 placeholders without personal override:
! GITHUB_TOKEN Set override
! AWS_SECRET_KEY Set override
Clicking the link opens the project page with the override modal ready for that secret.
Examples
# Pull to .env (default)
envshed pull
# Pull to a specific file
envshed pull -f .env.local
# Print to stdout (useful for piping)
envshed pull --stdout
# Pull as JSON
envshed pull --format json
# Force overwrite
envshed pull --force
# Pull from a specific environment
envshed pull -e production
# Monorepo: pull all workspaces from root
envshed pull
# Monorepo: pull a specific workspace
envshed --workspace apps/web pull
Monorepo behavior
In a monorepo with workspaces configured, pull adapts to your location:
- Inside a workspace directory: pulls only that workspace's secrets to its configured file (e.g.,
.env.local) - At the monorepo root: pulls secrets for all workspaces sequentially
- With
--workspace <path>: pulls only the specified workspace, from anywhere
The -f flag overrides the workspace's configured file name for that invocation.