Skip to content

GitHub Dotenv Secrets

gh-import-dotenv-to-secrets is a small helper for copying simple .env entries into GitHub Actions repository secrets.

Use it only in the repository that should receive the secrets. It has no dry-run mode and gh secret set overwrites secrets with matching names.

The script reads .env from the current directory:

KEY=value
QUOTED="value"
SINGLE_QUOTED='value'

It skips empty keys and lines whose key starts with #.

For each remaining line, it strips one leading and trailing single or double quote from the value, then runs:

Terminal window
gh secret set "$key" -b"$value_no_quotes"

From the target GitHub repository:

Terminal window
gh auth status
gh repo view --json nameWithOwner
gh-import-dotenv-to-secrets

Verify the resulting secret names:

Terminal window
gh secret list

This helper is not a full dotenv parser. Avoid using it for:

  • Multiline values.
  • export KEY=value syntax.
  • Values containing unescaped = that need exact dotenv parsing semantics.
  • Environment or organisation secrets.
  • Selective import.

For those cases, use gh secret set directly.

For one or two secrets, prefer setting them explicitly:

Terminal window
gh secret set MY_SECRET -b"$MY_SECRET"

That keeps the target secret name and value source obvious.

If the command writes to the wrong repository, stop and rotate or replace the affected secrets in GitHub. Then rerun from the correct repository.

If a value imports with quotes still attached, set that secret manually with gh secret set. This wrapper only strips a simple matching quote at the beginning and end.

If gh secret set fails, check GitHub authentication and repository permissions:

Terminal window
gh auth status
gh repo view --json nameWithOwner