envsync-cloud/action-cli downloads the envsync CLI, exports environment variables from EnvSync, optionally includes secrets, and makes the resulting values available to later GitHub Actions steps.
- name: Pull ENV from EnvSync
uses: envsync-cloud/action-cli@v1
with:
api_token: ${{ secrets.ENVSYNC_API_TOKEN }}
app_id: app_123
env_type: production| Input | Required | Default | Description |
|---|---|---|---|
api_token |
Yes | EnvSync API token. | |
app_id |
Yes | EnvSync application ID. | |
env_type_id |
No | Environment type ID. Mutually exclusive with env_type. |
|
env_type |
No | Environment type name. Mutually exclusive with env_type_id. |
|
server_url |
No | https://api.envsync.cloud |
EnvSync API base URL. |
enable_secrets |
No | auto |
auto, true, or false. |
is_secret_managed |
No | auto |
auto, true, or false. |
private_key |
No | Inline PEM private key for self-managed secrets. | |
private_key_file |
No | Path to a PEM private key for self-managed secrets. | |
cli_version |
No | latest |
latest or a version such as v1.2.3. |
working_directory |
No | . |
Working directory used for CLI execution and relative paths. |
write_file |
No | true |
Write exported values to a file. |
output_path |
No | .env |
Output file path. |
output_format |
No | dotenv |
dotenv or json. |
export_env |
No | true |
Export values to later workflow steps. |
overwrite |
No | true |
Overwrite an existing output file. |
mask_values |
No | true |
Mask exported values in workflow logs. |
fail_if_empty |
No | false |
Fail when no values are returned. |
checksum_verify |
No | true |
Verify the downloaded CLI archive using release checksums. |
| Output | Description |
|---|---|
resolved_env_type_id |
Resolved environment type ID from the CLI. |
resolved_env_type_name |
Resolved environment type name from the CLI. |
cli_version |
CLI version that was downloaded. |
output_path |
Output file path, or an empty string when no file was written. |
variable_count |
Number of exported variables. |
secrets_enabled |
Whether secrets were included. |
managed_secrets |
Whether secrets were treated as managed by EnvSync. |
exported_env |
Whether variables were exported to later workflow steps. |
wrote_file |
Whether the action wrote an output file. |
Managed secrets are auto-detected by default:
- name: Pull managed secrets
uses: envsync-cloud/action-cli@v1
with:
api_token: ${{ secrets.ENVSYNC_API_TOKEN }}
app_id: app_123
env_type: production
enable_secrets: autoFor self-managed secrets, provide the private key inline or by file:
- name: Pull self-managed secrets
uses: envsync-cloud/action-cli@v1
with:
api_token: ${{ secrets.ENVSYNC_API_TOKEN }}
app_id: app_123
env_type_id: env_123
enable_secrets: true
is_secret_managed: false
private_key: ${{ secrets.ENVSYNC_PRIVATE_KEY }}- The action downloads CLI release assets from
EnvSync-Cloud/envsync. - Use
@v1in workflows. - The release workflow also updates the floating
v<major>tag andlatest.