Skip to content
envpacket / envpkt

envpkt env dotenv

Resolve the credentials described in envpkt.toml and emit them in .env (dotenv) format — the KEY=value syntax that the broad ecosystem auto-discovers: Wrangler (.env.production), Docker (--env-file), Vite / Next.js / Astro, many GitHub Actions, and direnv.

Where env export emits shell export VAR=... for eval-ing into your current shell, env dotenv emits a portable .env file — letting envpkt be the single source of truth and materialize the file fresh from sealed values, so a stale committed .env can never go out of sync.

Usage

Section titled “Usage”
Terminal window
# Print to stdout
envpkt env dotenv -c prod.envpkt.toml


# Write to a file
envpkt env dotenv -c prod.envpkt.toml -o .env.production


# Typical CI: materialize fresh, then deploy
envpkt env dotenv -c prod.envpkt.toml -o .env.production
wrangler pages deploy

Options

Section titled “Options”

| Option | Description | Default | | --------------------- | -------------------------------------------- | --------------- | | -c, --config <path> | Path to envpkt.toml | Auto-detected | | --profile <profile> | fnox profile to use | — | | -o, --output <file> | Write to a file instead of stdout | stdout | | --no-secrets | Omit secret values (emit KEY= with a note) | values included |

What it emits

Section titled “What it emits”

For each resolved entry, using the namespaced wire name:

  • Env defaults ([env.*]) — KEY=value.
  • Secrets ([secret.*]) — KEY=value by default, consistent with env export and env github. Pass --no-secrets to emit KEY= (empty) with a comment instead.

Values are emitted bare when safe, and double-quoted with POSIX-shell escaping (\, ", $) otherwise. Newlines/tabs are escaped to a single-line form (\n, \r, \t) for portability across dotenv parsers. Output is deterministic — regenerating produces identical bytes.

# Generated by envpkt — regenerate with: envpkt env dotenv
# Source: prod.envpkt.toml. Do not edit by hand.


ENVIRONMENT=production
APP_URL=https://app.example.com
SUPABASE_SERVICE_KEY="eyJ..."

Secrets are written to disk

Section titled “Secrets are written to disk”

Unlike env github (which masks values in the log) a materialized .env is a file on disk. When -o writes secret values, the command prints a reminder to .gitignore the output. Treat generated .env* files as sensitive, or use --no-secrets to produce a value-less template.

Resolving secrets

Section titled “Resolving secrets”

Secret values come from sealed (encrypted_value) packets or fnox — the same sources as env export / env github. Sealed values are the typical CI source; supply the age key via ENVPKT_AGE_KEY (see env github for identity precedence). A secret present only in the ambient environment is not re-emitted.

See also

Section titled “See also”