Problem
Developers working locally must manually copy secrets into .env. Error-prone. Painful at scale. Drift between CI and local dev.
Extension already lists secret names in "Secrets" and "Variables" views. Cannot bridge to local env.
Proposed solution
Add command: "GitHub Actions: Pull Secrets to .env"
- Authenticate via existing GitHub login
- Fetch secret names for current repo + environments (same scope as Secrets view)
- Preview available secrets (names only)
- On confirm, fetch decrypted values (workflow-execution approach or new API endpoint)
- Write
.env at workspace root (configurable)
Alternatives
| Option |
Gap |
Manual .env |
Current flow — time-consuming, drift-prone |
act + secret file |
Need values already local. No help sourcing |
| GitHub Codespaces |
Auto-injects. But only for Codespaces, not local |
gh extension |
Separate tool, extra auth context |
Constraints
- GitHub API does not expose secret plaintext (encrypted at rest by design)
- Needs either: new API endpoint OR one-time workflow that echoes base64-encoded secret values
- Solution parallel to how Codespaces injects secrets into the environment
Prior art
Success criteria
- Open local repo in VS Code → run "Pull Secrets to .env"
- GitHub auth (once) → see available secrets by scope
- Confirm →
.env written at workspace root
.env auto-.gitignore-d if absent
Problem
Developers working locally must manually copy secrets into
.env. Error-prone. Painful at scale. Drift between CI and local dev.Extension already lists secret names in "Secrets" and "Variables" views. Cannot bridge to local env.
Proposed solution
Add command: "GitHub Actions: Pull Secrets to .env"
.envat workspace root (configurable)Alternatives
.envact+ secret fileghextensionConstraints
Prior art
Success criteria
.envwritten at workspace root.envauto-.gitignore-d if absent