Documentation
Guides

Use dotenvx with GitHub Actions

Use dotenvx with GitHub Actions

Find code examples for this guide on GitHub.

Initial setup

Create a Hello World build file. It's a very simple build script but yours could be more complicated - like a test suite or something.

// build.js
console.log(`Hello ${process.env.HELLO || ''}`)

Create a .github/workflows/ci.yml file.

# node
name: build
on: [push]
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - uses: actions/setup-node@v3
      with:
        node-version: 16
    - run: node build.js
      env:
        DOTENV_PRIVATE_KEY_CI: ${{ secrets.DOTENV_PRIVATE_KEY_CI }}

Commit that to code and push to GitHub.

github actions build

The build will say Hello [blank] as it doesn't have a way to access the environment variable yet. Let's do that next.

Install dotenvx

Install dotenvx to your .github/workflows/ci.yml file.

name: build
on: [push]
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - uses: actions/setup-node@v3
      with:
        node-version: 16
    - run: curl -fsS https://dotenvx.sh/ | sh
    - run: dotenvx run -- node build.js
      env:
        DOTENV_PRIVATE_KEY_CI: ${{ secrets.DOTENV_PRIVATE_KEY_CI }}
github actions build

The logs tell us missing .env.ci file. Let's fix that by adding our .env.ci environment file.

Add ci environment

Create a .env.ci file in the root of your project.

# .env.ci
HELLO="ci/cd"

Encrypt .env.ci

Use dotenvx to encrypt your secrets.

dotenvx set HELLO "ci/cd" -f .env.ci --encrypt

.env.ci

#/-------------------[DOTENV_PUBLIC_KEY]--------------------/
#/            public-key encryption for .env files          /
#/       [how it works](https://dotenvx.com/encryption)     /
#/----------------------------------------------------------/
DOTENV_PUBLIC_KEY_CI="02ca21124a34a8d815aa5ae885b005b826b57bf61bb7d062252a7e587af1fa8f7e"

# .env.ci
HELLO="encrypted:BIXMqncHW+tzAEoVjLsSdmrQMmC4ov6KlWjCtPzx+g/ZCv3xpG44f6SJB5goKjEygqEnyivYJ6152L9LsON0ymsG5w056+AstlmhIyfMPbAKidaYA9UVQAzGmpBZqru7QBTt3tkM"

Your .env.keys file contains the decryption key.

.env.keys

#/------------------!DOTENV_PRIVATE_KEYS!-------------------/
#/ private decryption keys. DO NOT commit to source control /
#/     [how it works](https://dotenvx.com/encryption)       /
#/----------------------------------------------------------/

# .env.ci
DOTENV_PRIVATE_KEY_CI="d4d2e22102c58f741cdddacaf69a1a64751fc014aafb90de0f1e7e6cb4d08330"

DO NOT commit .env.keys to code – keep it somewhere safe like 1Password.

Lastly, commit your .env.ci to code as it is now encrypted, safe, and recommended to do so.

We're ready to set DOTENV_PRIVATE_KEY_CI on GitHub actions.

Set decryption key

Set DOTENV_PRIVATE_KEY_CI on GitHub Actions using the ci key in your .env.keys file.

www.github.com

Build CI

Commit those changes safely to code and rerun the build.

That's it! On rerun, your .env.ci file will be decrypted and its CI secrets injected as environment variables – just in time. Your build script will say Hello ci/cd.

You'll know things worked correctly when you see injecting env (2) from .env.ci in your logs.

github actions build

You succesfully add encryption to your .env files. This is safer than scattering your secrets across third-party platforms and tools. When you need to update a secret, run dotenvx set KEY value --encrypt and redeploy.