env-sync: A CLI That Prevents Missing Env Vars from Breaking Deployments

I Built a CLI to Stop Missing Env Vars from Breaking Deployments

Jordach M Makaya built a TypeScript CLI, env-sync, that syncs local .env files to GitHub Actions secrets and GitLab CI/CD variables. The tool was created after the author repeatedly encountered deployment failures caused by missing environment variables in CI pipelines.

Why This Matters

The reality is that most projects start with simple .env and .env.example files, but as they grow—adding staging, production, CI, preview environments—the gap between what’s documented and what’s actually present widens. This disconnect is where avoidable deployment failures occur; the debugging session is often more complex than the bug itself.

Key Insights

• Dry-run first: The tool requires a —dry-run flag before any real sync to prevent silent changes to secrets (env-sync documentation).
• Explicit provider support: Currently supports GitHub Actions secrets via gh CLI and GitLab CI/CD variables via REST API (Jordach M Makaya).
• Monorepo-aware: Applies namespacing rules to reduce collisions between shared variable names like DATABASE_URL or REDIS_URL across different packages (Jordach M Makaya).
• Small dependency surface: Designed as a focused CLI rather than a full secret-management platform like Vault or Doppler (Jordach M Makaya).

Working Examples

Practical Applications

• ./env.example → CI pipeline
• ./Sync without review → Silent deployment drift
• ./GitHub Actions → gh auth status required before sync
• ./Multiple services sharing generic names → Collision risk without namespacing rules

References: