envshed push
Push secrets from a local .env file to Envshed.
Usage
envshed push [-o <org>] [-p <project>] [-e <env>] [-f <path>] [--force]
Options
| Flag | Description | Default |
|---|---|---|
-o, --org <slug> | Organization slug | From config |
-p, --project <slug> | Project slug | From config |
-e, --env <slug> | Environment slug | From config |
-f, --file <path> | Input file path | .env |
--force | Overwrite without checking for changes |
Safe push
By default, the CLI fetches remote secrets and compares them with your local file. If any remote values would be modified or keys are missing from your local file, it aborts:
Push aborted. The following remote changes were detected:
~ API_KEY (will be modified)
- OLD_SECRET (not in local file, will be kept remotely)
Run with --force to push anyway.
Keys present in the remote but missing from your local file are not deleted — they are kept remotely. Only the values you provide are updated or created.
Examples
# Push from .env (default)
envshed push
# Push from a specific file
envshed push -f .env.local
# Force push (skip change detection)
envshed push --force
# Push to a specific environment
envshed push -e staging
# Monorepo: push all workspaces from root
envshed push
# Monorepo: push a specific workspace
envshed --workspace apps/api push
Monorepo behavior
In a monorepo with workspaces configured, push adapts to your location:
- Inside a workspace directory: pushes only that workspace's env file
- At the monorepo root: pushes all workspaces sequentially
- With
--workspace <path>: pushes only the specified workspace, from anywhere
Each workspace reads from its configured file (e.g., .env.local for a Next.js app).
Placeholder secrets
When you push changes to a placeholder secret, the CLI automatically saves your value as a personal override instead of modifying the shared base value. This ensures your changes don't affect other team members.
✔ Pushed 5 secrets to my-org/my-project/development (2 as personal overrides)
Placeholder secrets saved as personal overrides (won't affect other users):
~ DATABASE_URL
~ API_KEY
Overrides are per-user — each team member can have their own value for a placeholder secret without interfering with others.
Cross-project link conflicts
If you push a change to a linked secret and the linked copy in another project was also modified independently, the CLI detects a conflict and prompts you to resolve it:
⚠ 1 linked secret(s) have conflicts:
Key: DATABASE_URL
Linked from: api/development
? How to resolve DATABASE_URL?
Keep mine (propagate my value to linked secrets)
Keep theirs (accept the linked value)
Unlink (stop sharing this secret)
- Keep mine: your local value is propagated to all linked secrets
- Keep theirs: the remote linked value is accepted (your local value is overwritten on next pull)
- Unlink: the secret is removed from its link group and stops syncing
If there are no conflicts, linked secrets are propagated silently.