GitHub Actions
Inject Envshed secrets into your GitHub Actions workflows. Secrets are fetched from Envshed and exported as masked environment variables or written to a .env file.
Setup
1. Create an API Token
Generate an API token from the Envshed dashboard. Navigate to Settings > API Tokens and create a new token with access to the project and environment you want to use.
2. Add the Token to GitHub Secrets
In your GitHub repository, go to Settings > Secrets and variables > Actions and add a new secret named ENVSHED_TOKEN with your API token.
3. Add the Action to Your Workflow
steps:
- uses: actions/checkout@v4
- uses: irbano/gh-setup-envshed@v1
with:
token: ${{ secrets.ENVSHED_TOKEN }}
org: my-company
project: backend
environment: production
- run: npm run deploy
Inputs
| Input | Required | Default | Description |
|---|---|---|---|
token | Yes | — | Envshed API token |
org | Yes | — | Organization slug |
project | Yes | — | Project slug |
environment | No | production | Environment slug |
api-url | No | https://app.envshed.com | Envshed API URL |
export-to | No | env | Where to export: env or file |
file-path | No | .env | Path for .env file (only with export-to: file) |
Examples
Environment Variables (Default)
Secrets are exported as environment variables, available to all subsequent steps in the job.
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: irbano/gh-setup-envshed@v1
with:
token: ${{ secrets.ENVSHED_TOKEN }}
org: my-company
project: backend
environment: production
- run: npm run deploy
Write to a .env File
Useful for frameworks that read from .env files at build time.
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: irbano/gh-setup-envshed@v1
with:
token: ${{ secrets.ENVSHED_TOKEN }}
org: my-company
project: frontend
environment: production
export-to: file
file-path: .env.local
- run: npm run build
Multi-Environment Deploy
Use a matrix strategy to deploy to multiple environments.
jobs:
deploy:
runs-on: ubuntu-latest
strategy:
matrix:
env: [staging, production]
steps:
- uses: actions/checkout@v4
- uses: irbano/gh-setup-envshed@v1
with:
token: ${{ secrets.ENVSHED_TOKEN }}
org: my-company
project: backend
environment: ${{ matrix.env }}
- run: npm run deploy
Docker Build
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: irbano/gh-setup-envshed@v1
with:
token: ${{ secrets.ENVSHED_TOKEN }}
org: my-company
project: backend
environment: production
export-to: file
- run: docker build -t my-app .
Security
- Never hardcode your API token in workflow files. Always use GitHub encrypted secrets.
- All secret values are automatically masked in GitHub Actions logs via
core.setSecret(). - Communication with the Envshed API is over HTTPS.
Troubleshooting
"Failed to fetch secrets (HTTP 401)"
Your API token is invalid or expired. Generate a new token from the Envshed dashboard and update your GitHub secret.
"Failed to fetch secrets (HTTP 403)"
Your token does not have access to the specified organization, project, or environment. Verify the token's permissions.
"Failed to fetch secrets (HTTP 404)"
The organization, project, or environment slug is incorrect. Double-check the slugs in your workflow file.
"No secrets found for the specified environment"
The environment exists but has no secrets. Add secrets via the dashboard or CLI before running the action.