GitHub Action
envpilot-action pulls environment variables from Envpilot straight into a GitHub Actions job, so your deploy secrets live in one place instead of being duplicated into GitHub repository settings.
Usage#
- name: Pull environment variables
uses: rafay99-epic/envpilot-action@v1
with:
token: ${{ secrets.ENVPILOT_TOKEN }}
environment: productionStore the service token as a repository or environment secret (ENVPILOT_TOKEN above) — never hardcode it in the workflow file.
Inputs#
| Input | Required | Default | Description |
|---|---|---|---|
token | Yes | — | Envpilot service token (envpk_…), scoped to a single project and environment |
environment | Yes | — | Environment to pull, e.g. production, staging, development |
api-url | No | https://www.envpilot.dev | Envpilot API base URL. Override only for self-hosted or non-production instances |
export-env | No | "true" | When true, exports every pulled variable to $GITHUB_ENV so later steps can read it directly |
env-file | No | — | Path to write the pulled variables as a dotenv file (KEY='value' per line). Skipped if unset |
How variables reach later steps#
By default (export-env: "true"), the action appends every pulled variable to the special $GITHUB_ENV file that GitHub Actions exposes to each step. Anything written there becomes a regular environment variable for every subsequent step in the same job — no extra wiring needed:
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Pull environment variables
uses: rafay99-epic/envpilot-action@v1
with:
token: ${{ secrets.ENVPILOT_TOKEN }}
environment: production
- name: Deploy
run: ./deploy.sh # DATABASE_URL, API_SECRET, etc. are already in the environmentTo write a dotenv file instead of (or in addition to) exporting:
- uses: rafay99-epic/envpilot-action@v1
with:
token: ${{ secrets.ENVPILOT_TOKEN }}
environment: production
export-env: "false"
env-file: .envMasking guarantee#
Every pulled value is registered with GitHub Actions' log masking (core.setSecret) before it is exported or written anywhere. That means the value is redacted as *** in the job log even if a later step accidentally echoes it — masking happens at the runner level, not as a best-effort convention.
Security#
- Read-only. The token can pull variables; it cannot create, modify, or delete them.
- Project- and environment-scoped. A service token only reads the single project and environment(s) it was minted for — it can't be pointed at other projects, and the action never prints or logs the token itself.
- Revocable with no grace period. Revoke a token from Envpilot under Project Settings → CI/CD Tokens (or API Keys for the newer scoped-key platform) — the next pull is rejected immediately.
- Rate limited. Pulls are rate-limited per token; a workflow that hammers this action in a tight loop will start getting
429responses. - Ephemeral by design. GitHub-hosted runners are destroyed after the job finishes, so pulled values never persist beyond the job's lifetime unless you explicitly write them to an artifact.
See API Security for the full key model shared across the GitHub Action, REST API, and MCP server.