direnv-action(1) GitHub Actions v1.3.7

Evaluate .envrc inside CI.

A compact action for installing direnv, exporting a trusted environment, validating required names, and carrying those variables into later workflow steps.

Repository
workflow trace no values printed 
$ direnv allow child
allowed .envrc
$ direnv export json
exported: CHILD_ENV, PATH, SECRET1
$ validate required
found: CHILD_ENV, SECRET1
$ mask secrets
redacted configured values
Runtime Node 24 action, bundled in dist/index.js.
Source Reads the selected directory's .envrc.
Output Exports variables to later steps; custom outputs are not defined.
Safety Use only with trusted repositories and trusted .envrc files.
Start here

Minimal workflow

Pin an exact release for repeatable builds. Use @v1 only when the workflow should receive compatible updates automatically.

.github/workflows/example.yml
steps:
  - uses: actions/checkout@v7
  - uses: HatsuneMiku3939/direnv-action@v1.3.7
    with:
      direnvVersion: 2.37.1
      masks: SECRET1, SECRET2
This action logs exported variable names for debugging, but it does not print environment variable values.
Contract

Inputs

Name Default Use it for
direnvVersion 2.37.1 Selecting the direnv binary version installed from release assets or cache.
masks '' Comma-separated environment variable names whose exported values should be redacted from logs.
required '' Newline-delimited environment variable names that must exist after direnv export json.
path . Directory where direnv allow and direnv export json run.
Patterns

Common configurations

Pin direnv

Use a known direnv version when workflow behavior must stay stable.

direnvVersion
- uses: HatsuneMiku3939/direnv-action@v1.3.7
  with:
    direnvVersion: 2.37.1

Mask secrets

List exported variable names. Do not paste raw secret values into masks.

masks
- uses: HatsuneMiku3939/direnv-action@v1.3.7
  with:
    masks: SECRET1, SECRET2

Require names

Fail the step before exporting anything when expected variables are missing.

required
- uses: HatsuneMiku3939/direnv-action@v1.3.7
  with:
    required: |
      AWS_REGION
      DATABASE_URL
      NODE_AUTH_TOKEN

Use a subdirectory

Point path at the directory containing the target .envrc.

path
- uses: HatsuneMiku3939/direnv-action@v1.3.7
  with:
    path: child
When it fails

Troubleshooting

Required variables are missing

Check that path points at the intended .envrc and that direnv export json exports every name listed in required.

Secret values still appear

Confirm masks contains variable names such as SECRET1, not the secret values.

PATH changes are not visible

When .envrc exports PATH, the action appends it through the GitHub Actions path API. Later steps in the same job receive the updated path.

Trust boundary

Security

.envrc is executable project configuration. Treat it as code, especially in workflows that can access secrets.
  • Run this action only with trusted repositories and trusted .envrc contents.
  • Review fork-based pull request workflows before exposing secrets.
  • Use masking as log redaction, not as a complete secret-protection boundary.
  • Keep sensitive logic inside trusted workflow contexts whenever possible.
Publishing

Maintainers

This site is published from GitHub Pages using branch master and folder /docs. Keep this page aligned with README.md and action.yml.

When preparing a release that changes the exact pinned tag, update both README.md and this page.