CLI Changelog
Changes specific to the CLI (envilder npm package).
For SDK-specific changes, see sdk-dotnet.md, sdk-python.md, or sdk-nodejs.md.
v0.12.12026-06-26
Fixed
- Honor
$config.profile for the AWS region, not just credentials — When a map file set an AWS profile via $config.profile, Envilder applied
it to credentials only; the AWS SDK fell back to the default profile's
region and silently read or wrote SSM parameters in the wrong
account-region. Envilder now sets AWS_PROFILE so the AWS SDK resolves
both the profile's region and its (SSO-capable) credentials natively.
Region resolution order is AWS_REGION > AWS_DEFAULT_REGION >
profile region > us-east-1 fallback
(#382)
Added
- Log the effective AWS identity before resolving secrets — Before the first read or write, Envilder logs
AWS identity → account=… region=… profile=… so a misrouted account
or region is immediately visible. The account is read from the active
credentials, falling back to an STS GetCallerIdentity call when not
present, then unknown
(#382)
v0.12.02026-06-26
Changed
- Preserve existing
.env formatting on pull — When the target .env file already exists, Envilder now updates values in place instead of
rewriting the file from scratch. Full-line comments, blank lines, key
ordering, export prefixes, and surrounding spacing are preserved; only
the values of mapped keys are replaced, and new keys are appended at the
end. (Inline comments after a value, e.g. KEY=val # note, are not
preserved.)
v0.11.02026-05-31
Changed
- BREAKING: Require Node.js >= 22.12 — pnpm 11, testcontainers v12, commander 15, and commitlint 21 require Node.js 22.12+. The
engines
field now enforces >=22.12.0
(#291)
Dependencies
- Update all devDependencies to latest (TypeScript 6.0.3, Biome 2.4.16, testcontainers 12.0.1, pnpm 11.5.0)
- Remove
rimraf — replaced with zero-dependency fs.rmSync in clean scripts (#291)
v0.10.02026-05-03
Added
- Map-file JSON Schema — A formal JSON Schema specification for map files, published at
https://envilder.com/schema/map-file.v1.json. Add
"$schema": "https://envilder.com/schema/map-file.v1.json" to any map file
for IDE autocomplete, inline documentation, and validation
(#218)
- Schema contract tests — 39 tests validating the JSON Schema across all providers (AWS, Azure, GCP, HashiCorp Vault, file)
Fixed
- Reserved key filtering — All
$-prefixed keys (e.g. $schema) are now excluded from variable mappings. Previously only $config was filtered,
causing $schema to leak into environment variables
(#218)
v0.9.42026-05-03
Fixed
- Mask secret path in bulk push log output (#185)
v0.9.32026-04-17
Added
- Runtime SDKs now available — Load secrets directly into your application at startup, no
.env file needed:
.NET (NuGet):
builder.Configuration.AddEnvilder("envilder.json");
Python (PyPI):
from envilder import Envilder
Envilder.load('envilder.json')
CLI (as always):
npx envilder --map=envilder.json --envfile=.env
GitHub Action:
- uses: macalbert/envilder/github-action@v0
with:
map-file: envilder.json
env-file: .env
Changed
- README rewritten — Streamlined messaging, accurate comparison tables, simplified quick start (2 steps), and reduced noise
Fixed
- ci(publish-npm): Narrowed
paths filter from src/<strong> to src/envilder/</strong> so SDK/website/IaC changes no longer trigger the
npm publish workflow
- ci(publish-npm): Replaced
npm view with curl against the npm registry API to avoid .npmrc auth failures during version detection
- ci(publish-website): Added
docs/CHANGELOG.md and docs/changelogs/** to path filters so changelog updates trigger
website deployment
Dependencies
- Bump
typescript from 6.0.2 to 6.0.3
v0.9.22026-04-02
Added
- LocalStack sponsor section — Added sponsor section to website homepage and README with LocalStack logos (dark, light, color variants) and a new
Sponsors.astro component
(#136)
- Website test suite — Added
tests/website/ with Vitest coverage for i18n utilities and Markdown helpers
BackToTop component — New scroll-to-top button component for the documentation website
Changed
- Project layout restructured for SDK platform readiness (#134):
- Core domain layer moved from
src/envilder/ to src/envilder/core/
- Website moved from
src/apps/website/ to src/website/
- All imports,
tsconfig.json, package.json, and workspace config updated accordingly
- Website UX improvements —
DocsContent, HowItWorks, ThemeSwitcher, TerminalMockup, and BaseLayout components updated; global CSS expanded; i18n keys added for new content
Fixed
- README: Replace
#gh-light-mode-only / #gh-dark-mode-only image fragments with a <picture> element using prefers-color-scheme media queries
- ci: Update version check in publish workflow to use published version from npm
Dependencies
- Bump
@aws-sdk/client-ssm from 3.1019.0 to 3.1021.0 (#140)
- Bump
@aws-sdk/credential-providers from 3.1019.0 to 3.1021.0 (#142)
- Bump
secretlint from 11.4.0 to 11.4.1 (#141)
- Bump
@secretlint/secretlint-rule-preset-recommend from 11.4.0 to 11.4.1 (#144)
- Bump
astro from 6.1.1 to 6.1.2 (#143)
- Bump
actions/configure-pages from 5 to 6 (#139)
- Bump
actions/deploy-pages from 4 to 5 (#138)
- Bump
pnpm/action-setup from 4 to 5 (#137)
v0.9.12026-03-30
Added
- Documentation website — Full Astro-based docs site deployed at envilder.com, with multi-language support (EN, ES, CA), dark/retro and light themes, and a dedicated changelog page
Changed
- Updated Envilder logo in README
Fixed
- deps: Move
@types/node from dependencies to devDependencies to prevent it from being bundled as a runtime dependency
- e2e: Use unique SSM paths per CLI test run to prevent race conditions between parallel test executions
Dependencies
- Bump
brace-expansion from 5.0.4 to 5.0.5 (security patch)
- Bump
@azure/core-rest-pipeline and @azure/identity group updates
v0.8.02026-03-22
Added
$config section in map files — Map files now support an optional $config key to declare provider and connection details inline (e.g., "provider": "azure", "vaultUrl": "https://...",
"profile": "dev-account")
- New CLI flag
--vault-url <url> — Azure Key Vault URL, overrides $config.vaultUrl in the map file
- Precedence chain: CLI flags >
$config in map file > defaults
- Backward compatible: existing map files without
$config continue to work (defaults to AWS provider)
- Azure Key Vault support — Use
--provider=azure to pull/push secrets from Azure Key Vault (#90)
- New infrastructure adapter:
AzureKeyVaultSecretProvider implementing ISecretProvider
- New CLI option
--provider <name> to select cloud provider (aws or azure, default: aws)
- Azure authentication via
DefaultAzureCredential (supports Azure CLI, managed identity, etc.)
Changed
- CLI flag
--ssm-path renamed to --secret-path — The old flag is still accepted as a deprecated alias and prints a warning. It will be removed in a future release.
configureInfrastructureServices() now receives a single MapFileConfig object instead of separate parameters
- CLI reads
$config from the map file and merges with CLI flags
- Extracted shared
ContainerConfiguration module for DI setup reused by CLI and GitHub Action
- Updated CLI description to include Azure Key Vault examples
Dependencies
- Added
@azure/keyvault-secrets
- Added
@azure/identity
- Added
@azure/core-rest-pipeline
v0.7.122026-03-22
Fixed
- ssm: Upgrade AWS SDK to resolve fast-xml-parser CVEs (#128)
Changed
- ci: Upgrade
dorny/test-reporter to v3 for Node.js 24 support (#127)
- dx: Add AI workflow agents, prompts, and lefthook pre-commit hook (#125)
Dependencies
- Bump
undici from 7.22.0 to 7.24.1 (#126)
v0.7.112026-03-08
Security
- Bump AWS SDK packages to resolve
fast-xml-parser vulnerability (#124)
v0.7.102026-03-02
Changed
- ci: Update CI configuration for improved build reliability
- Bump AWS SDK SSM to 3.1000.0 and align CI/publish workflows (#123)
Dependencies
- Bump
@aws-sdk/credential-providers from 3.995.0 to 3.1000.0 (#122)
- Bump
@types/node from 25.3.0 to 25.3.3 (#121)
- Bump
minimatch (#119)
v0.7.92026-02-22
Fixed
- security: Patch transitive dependency vulnerabilities (#118)
- ci: Simplify npm publish command in workflow
v0.7.82026-02-05
Fixed
- deps: Upgrade AWS SDK to resolve
fast-xml-parser DoS vulnerability (#116)
Dependencies
- Bump
@isaacs/brace-expansion (#115)
- Bump
@secretlint/secretlint-rule-preset-recommend (#114)
- Bump
commander from 14.0.2 to 14.0.3 (#113)
- Bump
@aws-sdk/client-ssm from 3.958.0 to 3.980.0 (#112)
- Bump
secretlint from 11.2.5 to 11.3.1 (#110)
- Bump
@commitlint/cli from 20.3.0 to 20.4.0 (#111)
v0.7.72026-01-27
Added
- push: AWS throttling retry logic and duplicate SSM path validation (#109)
Fixed
- ci: Streamline
npm publish workflow to prevent failures (#106)
Dependencies
v0.7.62026-01-16
Fixed
- ci: Align npm publish script with CI workflow expectations to prevent failures
- Removed redundant validation steps (lint, build, test) from publish script
Changed
- Simplified npm publish script from full validation pipeline to
npm pack --dry-run && npm publish
- Updated README badge links
- Converted README badges from HTML to standard Markdown format
Removed
- ci: Deleted deprecated
publish-action.yml workflow
v0.7.52026-01-15
Documentation
- Remove changelog generation instructions from documentation (#104)
Dependencies
- Bump undici to address security vulnerability (#105)
v0.7.42026-01-02
Dependencies
- Bump @commitlint/cli from 20.1.0 to 20.2.0 (#103)
- Bump testcontainers from 11.9.0 to 11.11.0 (#102)
- Bump @types/node from 24.10.1 to 25.0.3 (#101)
- Bump @testcontainers/localstack from 11.9.0 to 11.11.0 (#100)
- Bump @commitlint/config-conventional (#99)
v0.7.32025-11-29
Changed
- ci: Update Node.js version to 24 in workflow
- Update publish command to use pnpm
- Add repository field to package.json
- Standardize quotes in publish-npm.yml
Dependencies
- Bump actions/checkout from 5 to 6 (#98)
- Bump glob from 11.1.0 to 13.0.0 (#97)
- Bump pnpm/action-setup from 2 to 4 (#92)
- Bump @commitlint/cli from 19.8.1 to 20.1.0 (#94)
- Bump glob in the npm_and_yarn group (#96)
v0.7.12025-11-16
Documentation
- Update README and ROADMAP for GitHub Action integration (#95)
Changed
- ci: Update workflow to use pnpm for dependency management
Tests
- Increase timeout for E2E tests to 60 seconds
v0.7.02025-11-16
Added
- packaging: Add project build and uninstall functionality
Fixed
- cli: Correct build command from
ppnpm to pnpm
Changed
- Move GitHub Action to
github-action/ subfolder
Breaking Changes
- Action path changed from
macalbert/envilder@v1 to macalbert/envilder/github-action@v1
v0.6.62025-11-02
Changed
- Updated AWS credentials configuration in workflows
- Bumped vite, @types/node, @biomejs/biome, GitHub/codeql-action, actions/setup-node, vitest
v0.6.52025-10-15
Added
- Enabled npm trusted publishing with OIDC authentication
Dependencies
- Bumped tmp, @types/node, @testcontainers/localstack, testcontainers, @aws-sdk/credential-providers
- Bumped secretlint, @biomejs/biome, @secretlint/secretlint-rule-preset-recommend
- Bumped vite, commander, inversify
- Updated actions/checkout, actions/setup-node, actions/upload-pages-artifact, aws-actions/configure-aws-credentials
v0.6.42025-08-02
Dependencies
- Bumped typescript from 5.8.3 to 5.9.2
- Bumped secretlint, @types/glob, @secretlint/secretlint-rule-preset-recommend, @biomejs/biome
v0.6.32025-07-20
Changed
- Bump version to 0.6.3 in package.json
v0.6.22025-07-20
Changed
- di: Implement .NET-Style DIP Startup Pattern for dependency injection (#59)
v0.6.12025-07-13
Added
- Push Mode functionality to upload environment variables to AWS SSM Parameter Store
- File-based approach for pushing multiple variables from
.env files
- Single-variable approach for direct command line uploads
- Support for working with different AWS profiles when pushing secrets
Security
- Implemented secure parameter handling to protect sensitive values
Changed
- Designed clean, modular command structure for Push Mode operations
- Added new domain models and handlers to support Push feature
- Maintained separation of concerns between infrastructure and application layers
v0.6.02025-07-13
Added
- push: Introduced Push Mode — sync local
.env variables to AWS SSM Parameter Store (#57)
v0.5.62025-07-06
Added
- Introduced new logger interface for seamless integration of custom logging implementations
Changed
- Updated several packages for improved security and performance
v0.5.52025-06-29
Changed
- Moved
EnvilderBuilder from domain to application/builders directory
- Updated import paths across codebase for better organization
Fixed
- Fixed glob pattern and path handling in test cleanup functions
- Corrected file path resolution in end-to-end tests
v0.5.42025-06-10
Added
- Added unit tests for error handling with missing CLI arguments
- Enhanced unit test reporting with JUnit format for better CI integration
Changed
- Refactored
EnvFileManager and related interfaces to use async/await
- Improved error handling and modularized secret processing
- Extracted
PackageJsonFinder class
- Updated dependencies for better reliability
v0.5.32025-06-07
Added
- Modular CLI for environment variable synchronization with pluggable secret providers
- Builder pattern for flexible CLI configuration and usage
- Extensive unit, integration, and end-to-end tests
- AWS integration testing using LocalStack with TestContainers
Changed
- BREAKING: Full TypeScript migration from JavaScript
- Introduced modular, layered architecture with clear separation
- Migrated CI/CD workflows from Yarn to npm
v0.5.22025-05-18
Added
- Comprehensive E2E validation test in CI/CD pipeline
- Ensures package integrity and command-line operability before release
v0.5.12025-05-16
Fixed
- CLI command not recognized after global install (
npm install -g envilder)
- Fixed missing compiled
lib/ files in published package
v0.4.02026-05-18
Changed
- BREAKING: Root namespace for public API — All consumer-facing types moved from
Envilder.Application / Envilder.Domain to the root
Envilder namespace. Consumers now only need using Envilder;
- BREAKING: Facade class renamed to
Env — The static facade class is now Env instead of Envilder to avoid namespace/class name collision.
Use Env.Load(...), Env.ResolveFile(...), Env.FromMapFile(...) etc.
- Extension methods follow .NET conventions —
AddEnvilder() for IConfigurationBuilder moved to
Microsoft.Extensions.Configuration namespace;
AddEnvilder() for IServiceCollection moved to
Microsoft.Extensions.DependencyInjection namespace.
Both are now discoverable without any Envilder-specific using directives
Migration
Replace:
using Envilder.Application;
using Envilder.Domain;
using Envilder.Infrastructure.Configuration;
using Envilder.Infrastructure.DependencyInjection;
With:
using Envilder;
Replace facade calls:
// Before
Envilder.Load("envilder.json");
Envilder.FromMapFile("envilder.json").Inject();
// After
Env.Load("envilder.json");
Env.FromMapFile("envilder.json").Inject();
AddEnvilder() extension methods now live in Microsoft.Extensions.Configuration
and Microsoft.Extensions.DependencyInjection — no Envilder-specific import needed.
ASP.NET projects already include these namespaces via global usings; console apps
may need to add them explicitly.
v0.3.02026-05-03
Added
- Map-file JSON Schema support — Map files can now include
"$schema": "https://envilder.com/schema/map-file.v1.json" for IDE
autocomplete and validation without affecting secret resolution
Fixed
- Reserved key filtering — All
$-prefixed keys are now excluded from variable mappings. Previously only $config was filtered
(#218)
v0.2.02026-04-18
Added
- Static facade —
Envilder class with one-liner API for resolving and injecting secrets
ResolveFile(path) / ResolveFileAsync(path) — Resolve secrets from a map file
Load(path) / LoadAsync(path) — Resolve and inject secrets into Environment
ResolveFile(env, mapping) / Load(env, mapping) — Environment-routed overloads
FromMapFile(path) — Fluent builder with .WithProvider(), .WithProfile(), .WithVaultUrl()
EnvilderBuilder.Resolve() / ResolveAsync() / Inject() / InjectAsync() — Fluent terminal methods
ISecretProvider.GetSecret(name) — Synchronous secret retrieval (new interface method)
AwsSsmSecretProvider.GetSecret(name) — Sync AWS SSM implementation
AzureKeyVaultSecretProvider.GetSecret(name) — Sync Azure Key Vault implementation
EnvilderClient.ResolveSecrets(mapFile) — Sync secret resolution
Changed
- Simplify
AddEnvilder extensions — IConfigurationBuilder.AddEnvilder() and IServiceCollection.AddEnvilder() now accept (string mapFilePath, EnvilderOptions? options)
instead of requiring a manually-created ISecretProvider
(#167)
- Cross-provider validation —
SecretProviderFactory now rejects invalid combinations: AWS profile with Azure provider, or Vault URL with AWS provider
(#167)
Breaking
SecretProviderFactory is now internal — External code that referenced this type directly will no longer compile. Use the Envilder facade, EnvilderBuilder
(Envilder.FromMapFile(...)), or the AddEnvilder(string, EnvilderOptions?) extensions instead
(#167)
ISecretProvider.GetSecret(string name) — New required interface method. External implementations of ISecretProvider must add a synchronous GetSecret method
(return null for missing secrets, matching the GetSecretAsync contract)
ServiceCollectionExtensions.AddEnvilder(string, ISecretProvider) signature removed — Use AddEnvilder(string, EnvilderOptions?) instead
ConfigurationBuilderExtensions.AddEnvilder(string, ISecretProvider) signature removed — Use AddEnvilder(string, EnvilderOptions?) instead
Fixed
- Delegate default AWS region resolution to the AWS SDK — When no profile is set, the factory no longer manually resolves the region via
ResolveRegion(). Instead it creates a
plain AmazonSimpleSystemsManagementClient() which uses the full AWS SDK resolution chain
(env vars → ~/.aws/config → instance metadata), correctly picking up the default config
file settings
(#166)
- Respect
AWS_SHARED_CREDENTIALS_FILE for profile resolution — CredentialProfileStoreChain now receives the credentials file path from the AWS_SHARED_CREDENTIALS_FILE environment
variable, fixing profile discovery when credentials are stored at non-default locations
(#166)
Testing
- Unit tests for facade validation, env routing, and fluent builder chaining
- Acceptance tests for
ResolveFile and Load against LocalStack
- Sync
GetSecret tests for AWS SSM and Azure Key Vault providers
- Sync
ResolveSecrets test for EnvilderClient
v0.1.02026-04-09
Added
- Initial release — Runtime library for loading secrets from AWS SSM Parameter Store or Azure Key Vault directly into .NET applications (#147)
EnvilderClient — Resolves secrets from a map-file and returns them as a dictionary
MapFileParser — Parses envilder.json files with $config section and variable mappings
SecretProviderFactory — Creates the appropriate secret provider based on configuration
AwsSsmSecretProvider — Fetches secrets from AWS SSM Parameter Store
AzureKeyVaultSecretProvider — Fetches secrets from Azure Key Vault
IConfiguration extensions — Load secrets directly into .NET configuration
IServiceCollection extensions — Register Envilder in the DI container
EnvilderOptions — Runtime overrides for provider, vault URL, and AWS profile
- Targets .NET Standard 2.0 (compatible with .NET 6+, .NET Framework 4.6.1+)
- Published to NuGet as
Envilder
Testing
- Unit tests with xUnit, NSubstitute, AwesomeAssertions, and AutoFixture
- Acceptance tests with TestContainers (LocalStack for AWS, Lowkey Vault for Azure)
v0.4.02026-05-03
Added
- Map-file JSON Schema support — Map files can now include
"$schema": "https://envilder.com/schema/map-file.v1.json" for IDE
autocomplete and validation without affecting secret resolution
Fixed
- Reserved key filtering — All
$-prefixed keys are now excluded from variable mappings. Previously only $config was filtered
(#218)
v0.3.22026-04-18
Changed
- Encapsulate
SecretProviderFactory — Renamed to _SecretProviderFactory and removed from public re-exports; consumers should use the Envilder facade instead of creating
providers manually
(#167)
- Cross-provider validation —
_SecretProviderFactory.create() now rejects invalid combinations: AWS profile with Azure provider, or vault URL with AWS provider
(#167)
Fixed
- Delegate default AWS region resolution to boto3 — When no profile is set, the factory no longer manually resolves the region from environment variables. Instead it creates a plain
boto3.Session() which uses the full AWS SDK resolution chain (env vars → ~/.aws/config →
instance metadata), correctly picking up the default config file settings
(#166)
v0.3.12026-04-17
Fixed
- Remove
mypy-boto3-ssm runtime dependency — AwsSsmSecretProvider imported mypy_boto3_ssm.SSMClient at runtime, but the package is a dev-only type stub.
Consumers installing envilder from PyPI got ModuleNotFoundError. Replaced with
botocore.client.BaseClient which is already bundled with boto3
(#165)
v0.3.02026-04-17
Added
- Environment-based loading —
Envilder.load(env, env_mapping) and Envilder.resolve_file(env, env_mapping) accept a dictionary mapping environment names to
map file paths (or None to skip). Enables environment-aware secret loading without
external branching logic (#163)
- Source validation — Empty or whitespace-only file paths in
env_mapping now raise ValueError with a descriptive message including the environment key
v0.2.02026-04-16
Added
- Fluent API facade —
Envilder high-level entry point with load(), resolve_file(), and from_map_file() methods, plus fluent override methods (with_provider(), with_vault_url(),
with_profile()) (#161)
- Facade docstrings — All public methods on the
Envilder facade now have docstrings with usage examples, improving IDE tooltips and help() output for external consumers
v0.1.02026-04-14
Added
- Initial release — Runtime library for loading secrets from AWS SSM Parameter Store or Azure Key Vault directly into Python applications
(#157)
Envilder facade — High-level entry point with load(), resolve_file(), and from_map_file() methods
EnvilderClient — Resolves secrets from a map-file and injects them into os.environ
MapFileParser — Parses envilder.json files with $config section and variable mappings
SecretProviderFactory — Creates the appropriate secret provider based on configuration
AwsSsmSecretProvider — Fetches secrets from AWS SSM Parameter Store via boto3
AzureKeyVaultSecretProvider — Fetches secrets from Azure Key Vault
EnvilderOptions — Runtime overrides for provider, vault URL, and AWS profile
- Synchronous API — no async/await, uses boto3 natively
- Protocol-based ports — Python
Protocol instead of ABC
- Python 3.10+ with full type annotations (
py.typed)
- Published to PyPI as
envilder
Testing
- Unit tests with pytest using
Should_<Expected>_When_<Condition> naming
- Acceptance tests with TestContainers (LocalStack for AWS, Lowkey Vault for Azure)
v0.3.12026-06-26
Fixed
- Honor the
profile option for the AWS region, not just credentials — When a profile was set via the profile option or $config.profile, the
SDK applied it to credentials only; the AWS SDK fell back to the default
profile's region and silently read SSM parameters from the wrong
account-region. The SDK now sets AWS_PROFILE so the AWS SDK resolves both
the profile's region and its (SSO-capable) credentials natively. Region
resolution order is AWS_REGION > AWS_DEFAULT_REGION > profile
region > us-east-1 fallback
(#382)
v0.3.02026-05-31
Changed
- BREAKING: Require Node.js >= 22.12 — Aligns with the rest of the monorepo. Node 18 and 20 are EOL; Node 22 is the only active LTS
(#291)
- Pin dependencies to minimum viable versions — AWS SDK
^3.700.0, Azure Identity ^4.5.0, Azure Key Vault Secrets ^4.9.0 — avoids forcing
consumers to upgrade their cloud SDKs (ADR-0009)
(#291)
Dependencies
- Remove
rimraf — replaced with zero-dependency fs.rmSync in clean script (#291)
v0.2.02026-05-03
Added
- Map-file JSON Schema support — Map files can now include
"$schema": "https://envilder.com/schema/map-file.v1.json" for IDE
autocomplete and validation without affecting secret resolution
Fixed
- Reserved key filtering — All
$-prefixed keys are now excluded from variable mappings. Previously only $config was filtered
(#218)
v0.1.12026-05-02
Documentation
- Add Node.js SDK references to root README, website, and installation guide
v0.1.02026-04-25
Added
- Initial release — Node.js runtime SDK for loading secrets directly into
process.env from a map file. Supports AWS SSM Parameter Store and
Azure Key Vault
- Envilder facade —
load(), resolveFile(), fromMapFile() fluent builder for one-liner or fine-grained secret loading
- EnvilderClient — Core resolver with
resolveSecrets() and injectIntoEnvironment() for custom provider usage
- MapFileParser — Parse
$config section and variable mappings from JSON
- Secret validation — Opt-in
validateSecrets() throws SecretValidationError for empty or missing values
- Environment-based routing — Load different secret files per environment (production, development, test)
v0.12.12026-06-26
Fixed
- Honor
$config.profile for the AWS region, not just credentials — When a map file set an AWS profile via $config.profile, the action
applied it to credentials only; the AWS SDK fell back to the default
profile's region and silently read SSM parameters from the wrong
account-region. The action now sets AWS_PROFILE so the AWS SDK resolves
both the profile's region and its (SSO-capable) credentials natively.
Region resolution order is AWS_REGION > AWS_DEFAULT_REGION >
profile region > us-east-1 fallback
(#382)
Added
- Log the effective AWS identity before resolving secrets — Before the first read, the action logs
AWS identity → account=… region=… profile=… so a misrouted account
or region is immediately visible. The account is read from the active
credentials, falling back to an STS GetCallerIdentity call when not
present, then unknown
(#382)
v0.12.02026-06-26
Changed
- Preserve existing
.env formatting on pull — When the target .env file already exists, the action now updates values in place instead of
rewriting the file from scratch. Full-line comments, blank lines, key
ordering, export prefixes, and surrounding spacing are preserved; only
the values of mapped keys are replaced, and new keys are appended at the
end. (Inline comments after a value, e.g. KEY=val # note, are not
preserved.)
Dependencies
- Bundle updated with latest CLI core
v0.11.02026-05-31
Changed
- BREAKING: Require Node.js >= 22.12 — GitHub Actions workflows updated to use
node-version: "22.x". The bundled CLI now requires Node.js 22.12+
(#291)
Dependencies
- Bundle updated with latest CLI core (all dependencies at latest)
v0.10.02026-05-03
Fixed
- Reserved key filtering —
$schema and other $-prefixed keys no longer leak into environment variable mappings
(#218)
Dependencies
- Bundle updated with latest CLI core (map-file schema support)
v0.9.42026-05-03
Fixed
- Rebuild stale dist and remove force-tracked build artifacts (#193)
Dependencies
- Bundle updated with latest CLI core (dependency bumps)
v0.9.32026-04-17
Changed
- Bundle updated with latest CLI core (runtime SDKs announcement, dependency bumps)
Fixed
- ci(publish-npm): Narrowed
paths filter from src/<strong> to src/envilder/</strong> so SDK/website/IaC changes no longer trigger the
npm publish workflow
v0.9.22026-04-02
Changed
- Bundle updated with latest CLI core (Azure Key Vault,
$config map-file support)
v0.8.02026-03-22
Added
- Azure Key Vault support — Use
provider: azure input to pull secrets from Azure Key Vault
- New input
vault-url — Azure Key Vault URL, overrides $config.vaultUrl in the map file
- New input
provider — Select cloud provider (aws or azure, default: aws)
$config section support in map files — declare provider and connection details inline
Changed
- Updated
action.yml description and inputs to reflect multi-provider support
- Both CLI and GHA now use shared
ContainerConfiguration module for DI setup
v0.7.12025-11-16
Documentation
- Update GitHub Action version from v1 to v0.7.1 in documentation
- Fix example version references
v0.7.02025-11-16
Added
- Initial GitHub Action release — Use Envilder in CI/CD workflows natively
- Pull secrets from AWS SSM Parameter Store into
.env files during workflow runs
- End-to-end tests for GitHub Actions simulation
Changed
- Action moved to
github-action/ subfolder
Breaking Changes
- Action path changed from
macalbert/envilder@v1 to macalbert/envilder/github-action@v1