npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

ghsecret

v1.2.0

Published

Push .env variables to GitHub Secrets & Variables

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

barisdemirhanbarisdemirhan

Keywords

githubsecretsvariablesenvclighdotenv

Readme

Built with Claude Code

English | Türkçe

ghsecret

Push .env variables to GitHub Secrets & Variables — with smart conflict detection and precedence warnings.

# Push all .env vars as secrets
ghsecret -s -a

# Interactive mode — pick keys, choose target, decide per key
ghsecret -i

Why

Managing GitHub Secrets and Variables through the web UI is slow and error-prone. ghsecret reads your .env file and pushes values directly via the GitHub CLI — with safety checks that prevent common mistakes:

  • Detects existing values before overwriting and asks for confirmation
  • Warns about GitHub's precedence rules (Environment > Repository > Organization) so you don't push a secret that gets silently shadowed
  • Detailed error messages for permission issues, rate limits, and network errors
  • Dry run mode to preview what would happen without touching anything

Quick Start (no install)

# Interactive mode — guided step by step
npx ghsecret -i

# Push a single key as secret
npx ghsecret -s -k DB_PASSWORD

# From a specific file
npx ghsecret -s -a -f .env.production

# Push all keys as variables (dry run first)
npx ghsecret -v -a --dry-run

# Push to a specific environment
npx ghsecret -s -k API_KEY --env staging

# Push to organization
npx ghsecret -v -k SLACK_WEBHOOK --org my-org

# Push to a specific repo (skip remote selection)
npx ghsecret -s -a --repo my-org/my-repo

Install

# Global install for repeated use
npm install -g ghsecret

# Or clone and link
git clone https://github.com/barisdemirhan/ghsecret.git
cd ghsecret && npm install && npm run build && npm link

Requires: GitHub CLI (gh) authenticated via gh auth login and Node.js 18+.

Usage

ghsecret -s|-v [options]              Push as secret or variable
ghsecret -i                           Interactive mode
ghsecret push <key1> <key2> ... -s    Push specific keys

Modes

| Flag | Description | |------|-------------| | -s, --secret | Push as GitHub Secret | | -v, --variable | Push as GitHub Variable | | -i, --interactive | Interactive picker (choose file, target, keys, and mode) |

Options

| Flag | Description | |------|-------------| | -f, --file <path> | Env file path (default: .env) | | -a, --all | Push all keys from the file | | -k, --keys <k1,k2> | Comma-separated keys to push | | --org <name> | Push to organization level | | --env <name> | Push to environment level | | --dry-run | Preview without pushing | | --force | Skip confirmation prompts | | --repo <owner/repo> | Target specific repository (skips remote selection) |

Examples

# Push all vars as secrets
ghsecret -s -a

# Push specific keys as variables
ghsecret -v -k APP_NAME,APP_URL,APP_ENV

# From a specific file with dry run
ghsecret -s -a -f .env.production --dry-run

# Push to staging environment
ghsecret -s -k DB_HOST,DB_PASSWORD --env staging

# Push to organization
ghsecret -v -k SLACK_WEBHOOK --org my-org

# CI/CD — no prompts
ghsecret -s -a --force

# Target a specific repo (useful with multiple remotes)
ghsecret -s -a --repo my-org/my-repo

Interactive Mode

Run ghsecret -i for a guided experience:

📁 Env file path:
  › .env.production

🎯 Push target:
 ❯ 📦 Repository
   🏢 Organization
   🌍 Environment

📋 Variables in .env.production:
─────────────────────────────────────────
 ❯ ◉  APP_NAME                      = ••••••••
   ◉  APP_ENV                       = ••••••••
   ○  DB_HOST                       = ••••••••
   ◉  DB_PASSWORD                   = ••••••••
   ○  REDIS_URL                     = ••••••••

 ↑↓ navigate · space select · a toggle all · enter confirm · q quit
 3 selected

Push as:
 ❯ 🔒 Secret
   📋 Variable
   🔀 Mixed (choose per key)

Remote Selection

When multiple git remotes are detected, ghsecret asks which repo to target:

🔗 Multiple remotes found. Push to which repo?
 ❯ origin   → barisdemirhan/ghsecret
   upstream → someorg/ghsecret

To skip the prompt, use --repo:

ghsecret -s -a --repo someorg/ghsecret

Push Progress

Each key is pushed one at a time with real-time feedback:

 ✓ APP_NAME → 🔒 secret
 ✓ DB_HOST → 📋 variable
 ✗ BAD_KEY — Permission denied
⠋ Pushing 4/15... API_KEY → 🔒 secret

Safety Features

Conflict Detection

Before pushing, ghsecret checks if keys already exist at the target level:

⚠ 2 key(s) already exist at this level:
  • DB_PASSWORD (updated: 3/15/2026)
  • API_KEY (updated: 3/1/2026)

 [a] Overwrite all · [s] Select · [n] Cancel

Press s to pick which keys to overwrite individually:

⚠ Which keys should be overwritten?
 ❯ ◉  DB_PASSWORD   (updated: 3/15/2026)
   ○  API_KEY        (updated: 3/1/2026)

 ↑↓ navigate · space toggle · a all · enter confirm · q cancel
 1 selected — selected will be overwritten, others skipped

Precedence Warnings

GitHub resolves secrets and variables with a priority system: Environment > Repository > Organization. ghsecret detects when your push would be ineffective:

🚫 1 key(s) are shadowed by a higher-priority level:
  GitHub precedence: Environment > Repository > Organization
  • DB_PASSWORD — Repository level has the same key and will take priority
  These values will NOT be used at runtime!
Some keys will be shadowed. Continue anyway? [y/N]

Or when your push overrides a lower-priority level:

ℹ 1 key(s) will override lower-priority values:
  • DB_PASSWORD — Will override the Organization-level value

Environment Auto-Create

When pushing to an environment that doesn't exist yet, ghsecret offers to create it:

⚠ Environment "staging" does not exist in this repository.
Create environment "staging" and continue? [y/N]

Error Handling

Clear, actionable error messages instead of raw API errors:

| Scenario | Message | |----------|---------| | Insufficient permissions | Permission denied. Check your token scopes and repo access. | | Repo/org not found | Resource not found. Check the repo, org, or environment name. | | Rate limited | Rate limited by GitHub API. Wait a moment and try again. | | Network issue | Network error. Check your internet connection. |

Exit Codes

| Code | Meaning | |------|---------| | 0 | Success | | 1 | Error or user cancelled |

Works correctly with && chaining and CI pipelines.

.env Format

Supports all common formats including multiline values:

# Comments are skipped
APP_NAME=MyApp
APP_URL="https://example.com"
APP_KEY='base64:abc123'
export DB_HOST=localhost
INLINE=value # inline comments are stripped

# Multiline values
PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA...
-----END RSA PRIVATE KEY-----"

Uninstall

npm uninstall -g ghsecret

License

MIT