envgen 1.0.5

Generate and validate .env files from one spec - self-documenting config, consistent across environments, secrets stay out of git.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314

# envgen

Generate `.env` files from a declarative YAML schema.

`envgen` is a small Rust CLI for keeping environment variable definitions (docs + sources + per-environment behavior) in one place, then generating `.env` files safely and repeatably.

- **Single source of truth**: variables + documentation live in YAML
- **Source-agnostic**: resolve values via `static`, `manual`, or arbitrary shell commands
- **Multi-environment**: one schema can cover local/staging/production
- **One schema → one output file**: run multiple times to populate multiple `.env` files
- **Safe defaults**: won’t overwrite existing files without `--force`
- **Tooling-friendly**: list variables, validate schemas, export a JSON Schema for editor autocomplete

**Status:** stable (`v1.x`) as of `v1.0.0`. Breaking changes follow semantic versioning major releases.

## Demo

`envgen init` writes a commented sample schema (`env.dev.yaml`). Here’s what it looks like to use:

```bash
envgen list -c env.dev.yaml
```

```text
Schema: env.dev.yaml (Sample envgen schema. Replace with your project description.)

+-----------+-----------------------+--------------+
| Name      | Environments          | Source       |
+==================================================+
| API_TOKEN | dev, local, prod, stg | manual       |
|-----------+-----------------------+--------------|
| APP_NAME  | dev, local, prod, stg | static       |
|-----------+-----------------------+--------------|
| BUILD_ID  | local, dev, stg, prod | command_name |
+-----------+-----------------------+--------------+

3 variables across 4 environments
```

Preview what would happen before writing anything:

```bash
envgen pull -c env.dev.yaml -e dev --dry-run --interactive
```

```text
Schema:      env.dev.yaml
Environment: dev
Destination: .env.dev (does not exist)

Variables to resolve:

  API_TOKEN
    source:  manual (interactive prompt)
    instructions:
      Example (GitHub fine-grained personal access token):
      1) Go to https://github.com and sign in.
      2) Click your avatar (top-right) -> Settings.
      3) Scroll to the bottom of the left sidebar -> Developer settings.
      4) Personal access tokens -> Fine-grained tokens -> Generate new token.
      5) Set an expiration date, limit repository access, and grant least-privilege permissions.
      6) Click Generate token and copy it immediately (you won't be able to see it again).
      7) Paste the token here when prompted by envgen.
      Tip: Store it in a password manager and rotate it regularly.

  APP_NAME
    source:  static
    value:   Envgen Dev

  BUILD_ID
    source:  command_name
    command: bash -lc 'echo envgen-demo-dev-BUILD_ID-$(date +%Y%m%d%H%M%S)'

3 variables would be written to .env.dev
1 command would be executed (2 static/manual)
```

## Install

### Homebrew (personal tap)

```bash
brew tap smorinlabs/tap
brew install envgen
```

This project currently ships through the `smorinlabs/tap` formula stream. `homebrew-core`
support is a future track and is intentionally non-blocking for releases.

### Cargo

```bash
# From crates.io (if published):
cargo install envgen --locked

# Or from git:
cargo install --git https://github.com/smorinlabs/envgen --locked
```

### Prebuilt binaries

Download the appropriate archive from [GitHub Releases](https://github.com/smorinlabs/envgen/releases) and place `envgen` on your `PATH`.

### From source

```bash
cargo build --release --locked
./target/release/envgen --help
```

## Quickstart

Create a sample schema:

```bash
envgen init
# writes ./env.dev.yaml
```

Validate it:

```bash
envgen check -c env.dev.yaml
```

Generate a `.env` file (preview first, then write):

```bash
envgen pull -c env.dev.yaml -e dev --dry-run --interactive
envgen pull -c env.dev.yaml -e dev --interactive --force
# prompts for any `source: manual` variables when `--interactive` is set
```

List variables:

```bash
envgen list -c env.dev.yaml
```

Generate Markdown docs:

```bash
envgen docs -c env.dev.yaml
```

## Command summary

- `envgen init`: write a sample schema
- `envgen check`: validate a schema file
- `envgen list`: show variables (table by default; `--format json` is available)
- `envgen docs`: generate Markdown documentation for a schema
- `envgen pull`: resolve variables and write the destination `.env` file
- `envgen schema`: export the embedded JSON Schema used for structural validation and editor autocomplete
- `envgen readme`: print the embedded README.md to stdout

Useful flags:

- `pull`: `--dry-run`, `--force`, `--destination`, `--source-timeout`, `--interactive`, `--show-secrets`, `--write-on-error`
- `pull --source-timeout <seconds>`: hard timeout per source command; timed-out commands are terminated
- `list`: `--env`, `--format`

## Schema format (YAML)

At a high level:

- `environments`: defines env names and config values usable as `{placeholders}`
- `sources`: defines named shell command templates to fetch values
- `variables`: defines each variable’s description, sensitivity, applicability, and source

Optional documentation fields:

- `sources.*`: `label`, `url`, `description`
- `variables.*.resolvers[]`: `label`, `url`, `description`

Supported schema version:

- `"2"`: one `source` per variable, plus optional per-environment `resolvers`

Placeholders available in templates:

- `{environment}`: the selected environment name
- `{key}`: the variable’s `source_key` (or the variable name)
- Any key from the active `environments.<env>` map (e.g., `{firebase_project}`)

Minimal example (schema v2):

```yaml
schema_version: "2"

metadata:
  description: "Frontend env vars"
  destination:
    local: ".env"
    production: ".env.production"

environments:
  local:
    firebase_project: "my-app-staging"
    base_url: "http://localhost:5173"
  production:
    firebase_project: "my-app"
    base_url: "https://app.example.com"

sources:
  gcloud:
    command: "gcloud secrets versions access latest --secret={key} --project={firebase_project}"
    label: "Google Cloud Secret Manager"
    url: "https://console.cloud.google.com/security/secret-manager"

variables:
  VITE_BASE_URL:
    description: "Base URL for the app"
    sensitive: false
    source: static
    values:
      local: "{base_url}"
      production: "{base_url}"

  VITE_API_KEY:
    description: "API key (prompt locally; prod comes from Secret Manager)"
    source_key: API_KEY
    source_instructions: |
      Example (GitHub fine-grained personal access token):
      1) Go to https://github.com and sign in.
      2) Click your avatar (top-right) -> Settings.
      3) Scroll to the bottom of the left sidebar -> Developer settings.
      4) Personal access tokens -> Fine-grained tokens -> Generate new token.
      5) Set an expiration date, limit repository access, and grant least-privilege permissions.
      6) Click Generate token and copy it immediately (you won't be able to see it again).
      7) Save it somewhere secure (you won't be able to view it again later).
    environments: [local, production]
    resolvers:
      - environments: [local]
        source: manual
        label: "Local OAuth client"
        url: "https://console.cloud.google.com/apis/credentials"
      - environments: [production]
        source: gcloud
        label: "Secret Manager"
```

## JSON Schema (editor validation)

Export the embedded JSON Schema (for YAML Language Server, CI, etc.). This is also the schema `envgen`
uses for **structural** validation; `envgen check` adds **semantic** validation on top. Structural
validation is implemented via the `jsonschema` crate (Draft 2020-12) on the YAML parsed into
`serde_json::Value`.

```bash
envgen schema
# writes ./envgen.schema.vA.B.C.json
```

The schema artifact version (`A.B.C`) is managed independently from the crate version via
`SCHEMA_VERSION`.

Point the YAML Language Server at it (top of your schema file):

```yaml
# yaml-language-server: $schema=./envgen.schema.vA.B.C.json
```

## Versioning and Release Model

`envgen` uses two independent release streams:

- Crate version stream:
  - Version source: `Cargo.toml` (`[package].version`)
  - Release notes: `CHANGELOG.md`
  - Tag format: `vX.Y.Z`
- Schema artifact version stream:
  - Version source: `SCHEMA_VERSION`
  - Release notes: `SCHEMA_CHANGELOG.md`
  - Tag format: `schema-vA.B.C`

These streams are intentionally decoupled. Bumping the crate version does not require a schema
artifact version bump, and bumping the schema artifact version does not require a crate version
bump.

Common bump and tag commands:

```bash
# crate version flow
make bump-crate-patch
make tag-crate && make push-tag-crate

# schema artifact version flow
make bump-schema-patch
make tag-schema && make push-tag-schema
```

Full release guide: [`RELEASING.md`](RELEASING.md)  
Schema artifact release notes: `SCHEMA_CHANGELOG.md`

## Safety notes

- **Command sources are executed via `sh -c`**. Treat schemas as code; don’t run untrusted schemas.
- `envgen pull` refuses to overwrite existing files unless you pass `--force`.
- By default, `envgen pull` does not write the destination file when write-blocking failures occur (any command-source failure, or required static/manual failure). Use `--write-on-error` to write resolved variables anyway.
- `--dry-run` masks `sensitive: true` values unless you pass `--show-secrets`.

## Development

```bash
make check
make test
make fmt
```

For release operations, bump behavior, and tagging workflow, use [`RELEASING.md`](RELEASING.md) as the source of truth.

## License

MIT (see `LICENSE`).