GitHub Actions Sync
GitHub Actions Sync pushes secrets from your local .env file to your GitHub repository's Actions secrets, and can pull the list of existing secret names back down.
Prerequisites
GitHub CLI (gh)
The push operation uses the gh CLI tool to handle the encryption that GitHub requires for secrets. Install it from cli.github.com:
# macOS
brew install gh
# Windows (via winget)
winget install --id GitHub.cli
# Linux
# See https://github.com/cli/cli/blob/trunk/docs/install_linux.md
Authenticate with:
gh auth login
GitHub Personal Access Token (PAT)
For listing existing secrets (the pull/preview direction), the extension needs a PAT with repo scope:
- Go to github.com/settings/tokens
- Generate a classic token with the
reposcope - Copy the token
The token is stored in VS Code SecretStorage (OS keychain).
Setup
When you first run GitHub Actions Sync, you'll be prompted for:
- GitHub Token (PAT) — for listing secrets
- Repository — in
owner/repoformat, e.g.acme/my-app
Pushing Secrets
Run ENV Manager Pro: GitHub Actions Sync → Push. For each variable in your active .env file, the extension runs:
gh secret set "KEY" --body "VALUE" --repo "owner/repo"
The gh CLI handles the libsodium sealed-box encryption that GitHub's API requires — you don't need to install any crypto libraries.
Pulling (List)
The pull direction retrieves the list of secret names from GitHub (GitHub's API does not return secret values). This is useful to verify which secrets exist before pushing.
Security Notes
- Secret values are passed via stdin to
gh secret set, never via command-line arguments (which would appear in process listings) - The GitHub token has read access to list secrets but
gh secret setuses the authenticatedghsession, not the PAT
If gh is not installed, the extension shows an error with an install link. Typing a wrong repository name will push to the wrong repo — double-check owner/repo.