// docs

GitHub Action

Pull environment variables from Envpilot into a GitHub Actions job — no more copy-pasting secrets into repository settings.

GitHub Action

envpilot-action pulls environment variables from Envpilot straight into a GitHub Actions job, so your deploy secrets live in one place instead of being duplicated into GitHub repository settings.

Usage#

yaml
- name: Pull environment variables
  uses: rafay99-epic/envpilot-action@v1
  with:
    token: ${{ secrets.ENVPILOT_TOKEN }}
    environment: production

Store the service token as a repository or environment secret (ENVPILOT_TOKEN above) — never hardcode it in the workflow file.

Inputs#

InputRequiredDefaultDescription
tokenYesEnvpilot service token (envpk_…), scoped to a single project and environment
environmentYesEnvironment to pull, e.g. production, staging, development
api-urlNohttps://www.envpilot.devEnvpilot API base URL. Override only for self-hosted or non-production instances
export-envNo"true"When true, exports every pulled variable to $GITHUB_ENV so later steps can read it directly
env-fileNoPath to write the pulled variables as a dotenv file (KEY='value' per line). Skipped if unset

How variables reach later steps#

By default (export-env: "true"), the action appends every pulled variable to the special $GITHUB_ENV file that GitHub Actions exposes to each step. Anything written there becomes a regular environment variable for every subsequent step in the same job — no extra wiring needed:

yaml
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
 
      - name: Pull environment variables
        uses: rafay99-epic/envpilot-action@v1
        with:
          token: ${{ secrets.ENVPILOT_TOKEN }}
          environment: production
 
      - name: Deploy
        run: ./deploy.sh # DATABASE_URL, API_SECRET, etc. are already in the environment

To write a dotenv file instead of (or in addition to) exporting:

yaml
- uses: rafay99-epic/envpilot-action@v1
  with:
    token: ${{ secrets.ENVPILOT_TOKEN }}
    environment: production
    export-env: "false"
    env-file: .env

Masking guarantee#

Every pulled value is registered with GitHub Actions' log masking (core.setSecret) before it is exported or written anywhere. That means the value is redacted as *** in the job log even if a later step accidentally echoes it — masking happens at the runner level, not as a best-effort convention.

Security#

  • Read-only. The token can pull variables; it cannot create, modify, or delete them.
  • Project- and environment-scoped. A service token only reads the single project and environment(s) it was minted for — it can't be pointed at other projects, and the action never prints or logs the token itself.
  • Revocable with no grace period. Revoke a token from Envpilot under Project Settings → CI/CD Tokens (or API Keys for the newer scoped-key platform) — the next pull is rejected immediately.
  • Rate limited. Pulls are rate-limited per token; a workflow that hammers this action in a tight loop will start getting 429 responses.
  • Ephemeral by design. GitHub-hosted runners are destroyed after the job finishes, so pulled values never persist beyond the job's lifetime unless you explicitly write them to an artifact.

See API Security for the full key model shared across the GitHub Action, REST API, and MCP server.