🚀 Auto-Upload `.env` Secrets to GitHub Actions Using Bash + GitHub CLI

Keeping your GitHub Actions secrets in sync with your local .env files can be a repetitive and error-prone process. Manually copying variables into GitHub’s UI every time you update .env or .env.local isn’t scalable.

In this guide, you’ll learn how to:

Automatically detect the current GitHub repository
Upload all variables from .env and .env.local to GitHub Actions Secrets
Use a safe and reusable Bash script with GitHub CLI

🧩 Why You Need This

This script solves the pain of manual secret syncing by:

🚫 Preventing errors from mismatched values
⚡️ Speeding up onboarding or project bootstrap
🔒 Avoiding exposing secrets in Git

Perfect for teams, CI setups, and anyone who hates manual UI work.

⚙️ Prerequisites

To run the script, you’ll need:

✅ GitHub CLI (gh) installed → Install it here
✅ Authentication set up:

gh auth login

✅ Your .env and .env.local files present (but ignored in .gitignore)

🛠 The Script: `upload-secrets.sh`

#!/bin/bash

FILES=(".env" ".env.local")

# === Detect GitHub Repository Automatically ===
if command -v gh &>/dev/null; then
  REPO=$(gh repo view --json nameWithOwner -q .nameWithOwner)
else
  REPO=$(git config --get remote.origin.url | sed -E 's|.*github\.com[:/](.*)\.git|\1|')
fi

if [[ -z "$REPO" ]]; then
  echo "❌ Could not detect GitHub repository. Set REPO manually."
  exit 1
fi

echo "🔗 Target GitHub repo: $REPO"

# === Check gh CLI is installed ===
if ! command -v gh &>/dev/null; then
    echo "❌ GitHub CLI (gh) is not installed. Install it from https://cli.github.com/"
    exit 1
fi

# === Check auth ===
if ! gh auth status &>/dev/null; then
    echo "❌ You are not authenticated with gh CLI. Run: gh auth login"
    exit 1
fi

# === Process each env file ===
for FILE in "${FILES[@]}"; do
    if [ -f "$FILE" ]; then
        echo "📄 Reading from $FILE"
        while IFS='=' read -r key value; do
            if [[ "$key" =~ ^\s*# || -z "$key" ]]; then
                continue
            fi

            key=$(echo "$key" | xargs)
            value=$(echo "$value" | sed -e 's/^["'"'"']//' -e 's/["'"'"']$//' | xargs)

            gh secret set "$key" --repo "$REPO" --body "$value"
            echo "✅ Secret set: $key"
        done < "$FILE"
    else
        echo "⚠️ File $FILE not found. Skipping."
    fi
done

echo "🎉 All secrets uploaded to $REPO"

🔐 Secure and Smart

Ignores comments (#) and blank lines
Trims quotes from values like TOKEN="abc123"
Works with both .env and .env.local
Skips missing files gracefully

🧪 How to Use

Save it as upload-secrets.sh
Make it executable:

chmod +x upload-secrets.sh

Run it inside your Git project:

./upload-secrets.sh

You'll see output like:

📄 Reading from .env
✅ Secret set: API_KEY
✅ Secret set: DB_PASSWORD
...
🎉 All secrets uploaded to fornfun/18plus

🧠 Bonus Tips

This script uploads to repository-level secrets (available in all workflows).
For environment-specific secrets (production, staging), you can extend the script with --env:

gh secret set "$key" --env "production" --repo "$REPO" --body "$value"

🛡️ Don't Forget

Never commit .env or .env.local to Git
Rotate secrets periodically
Restrict Actions access to trusted users and branches

🏁 Final Thoughts

This tiny script makes life easier when managing secrets in GitHub Actions. Whether you're syncing development keys or automating CI/CD, it saves time, reduces errors, and keeps your workflow clean.

Author: @sh20raj 💡 Built for devs who love automation and hate manual UI work.

SH20RAJ/Automate GitHub Actions Secret Upload from .env Files Using Bash.md

🚀 Auto-Upload .env Secrets to GitHub Actions Using Bash + GitHub CLI