feat: Onboard xom9ikk/dotenv action

.github/workflows/actions_release.yml

@@ -0,0 +1,28 @@
+name: Release GitHub Actions
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Tag for the release"
+        required: true
+      node_version:
+        description: "Specify Node.js version (e.g., '18', '20', 'lts/*')"
+        required: false
+        type: string
+        default: "24"
+
+permissions:
+  contents: read
+
+jobs:
+  release:
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+
+    uses: step-security/reusable-workflows/.github/workflows/actions_release.yaml@v1
+    with:
+      tag: "${{ github.event.inputs.tag }}"
+      node_version: "${{ github.event.inputs.node_version }}"

.github/workflows/audit_package.yml

@@ -0,0 +1,30 @@
+name: NPM Audit Fix Run
+
+on:
+  workflow_dispatch:
+    inputs:
+      base_branch:
+        description: "Specify a base branch"
+        required: false
+        default: "main"
+      node_version:
+        description: "Specify Node.js version (e.g., '18', '20', 'lts/*')"
+        required: false
+        type: string
+        default: "24"
+
+  schedule:
+    - cron: "0 0 * * 1"
+
+jobs:
+  audit-fix:
+    uses: step-security/reusable-workflows/.github/workflows/audit_fix.yml@v1
+    with:
+      base_branch: ${{ inputs.base_branch || 'main' }}
+      node_version: "${{ inputs.node_version || '24' }}"
+
+permissions:
+  contents: write
+  pull-requests: write
+  packages: read
+  issues: write

.github/workflows/test.yml

@@ -0,0 +1,34 @@
+name: Test
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: actions/setup-node@v6
+        with:
+          node-version: "24"
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Format check
+        run: npm run format && git diff --exit-code
+
+      - name: Build
+        run: npm run build
+
+      - name: Dist up to date?
+        run: git diff --exit-code dist/

.gitignore

@@ -0,0 +1,4 @@
+node_modules/
+.idea/
+.vscode/
+.env*

LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2026 StepSecurity
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

README.md

@@ -1 +1,55 @@
-# dotenv
+[![StepSecurity Maintained Action](https://raw.githubusercontent.com/step-security/maintained-actions-assets/main/assets/maintained-action-banner.png)](https://docs.stepsecurity.io/actions/stepsecurity-maintained-actions)
+
+# StepSecurity Dotenv Loader
+
+GitHub Action that reads a `.env` file from the workspace and exports every `KEY=VALUE` pair into `$GITHUB_ENV` so subsequent steps can consume the variables. Variable expansion (`${OTHER_KEY}` references) is supported via `dotenv-expand`.
+
+Useful for workflows that share configuration across multiple steps, environment-specific deploys (`.env.production`, `.env.staging`), or for pulling non-secret defaults out of repeated `env:` blocks.
+
+## Inputs
+
+| Name | Required | Default | Description |
+| --- | --- | --- | --- |
+| `path` | no | `./` | Directory containing the `.env` file. |
+| `mode` | no | — | If set, load `.env.<mode>` instead of plain `.env` (e.g. `development`, `production`). |
+| `load-mode` | no | `strict` | `strict` = fail if the file is missing. `skip` = log a warning and continue with no exports. |
+
+## Example usage
+
+```yaml
+name: Deploy
+
+on: [push]
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Load .env
+        uses: step-security/dotenv@v2
+        with:
+          path: ./config
+          mode: production
+          load-mode: strict
+
+      - name: Use the variables
+        run: |
+          echo "API endpoint is $API_URL"
+          echo "Region is $AWS_REGION"
+```
+
+If you have an `.env` like:
+
+```
+API_URL=https://api.example.com
+AWS_REGION=us-east-1
+GREETING=Hello from ${AWS_REGION}
+```
+
+then after the action runs, `$GREETING` expands to `Hello from us-east-1`.
+
+## License
+
+MIT. See [LICENSE](LICENSE).

SECURITY.md

@@ -0,0 +1,5 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Please report security vulnerabilities to security@stepsecurity.io

action.yml

@@ -0,0 +1,25 @@
+name: "StepSecurity Dotenv Loader"
+description: "Read a .env file and export every key into GITHUB_ENV so subsequent steps can use the variables."
+author: "step-security"
+
+inputs:
+  path:
+    description: "Directory containing the .env file."
+    required: false
+    default: "./"
+  mode:
+    description: "If set, load .env.<mode> instead of plain .env (e.g. development, production)."
+    required: false
+    default: ""
+  load-mode:
+    description: "'strict' to fail when the .env file is missing; 'skip' to continue silently."
+    required: false
+    default: "strict"
+
+runs:
+  using: "node24"
+  main: "dist/index.js"
+
+branding:
+  icon: "settings"
+  color: "blue"