Using ConfigSync with GitHub Codespaces

GitHub Codespaces has built-in dotfiles support: point it at a dotfiles repository and it clones the repo into every new Codespace. Sounds great in theory. In practice, this approach has significant gaps.

Your dotfiles repo contains plaintext files. SSH keys, API tokens, and cloud credentials either get committed in plaintext (a security risk) or excluded entirely (leaving your Codespace incomplete). There is no encryption, no selective sync, and no way to handle platform differences between your local machine and the Codespace VM.

ConfigSync solves all of these problems. Secrets are encrypted with AES-128. You can filter which modules to pull. And template variables adapt configs to the Codespace environment automatically.

The setup is a one-line addition to your devcontainer configuration. Add ConfigSync to the postCreateCommand in your devcontainer.json:

The postCreateCommand runs once when the Codespace is created. It installs ConfigSync, authenticates with your token, and pulls your full environment. Every subsequent Codespace gets the same treatment automatically.

Your ConfigSync token should never be hardcoded. GitHub Codespaces supports encrypted secrets that are injected as environment variables:

Once the secret is stored, every Codespace you create will have $CS_TOKENavailable as an environment variable. The configsync setup command uses it to authenticate and pull your encrypted configs.

When ConfigSync pulls in a Codespace, you get everything you would have on your local machine: your shell configuration (zsh aliases, functions, prompt), Git settings (identity, signing, aliases), editor preferences (VS Code settings, keybindings, extensions list), and SSH keys for accessing private repositories or servers.

If your full environment takes too long to set up, use the --filter flag to pull only the modules that matter for Codespace development. Git and shell configs are usually the essentials.

Different projects may need different environments. You can use ConfigSync profiles to customize what gets pulled per repository:

Your work profile might include corporate proxy settings and internal registry credentials, while a personal project uses your personal Git identity and different SSH keys. Same tool, different configs, automatically applied.

With ConfigSync in your Codespace setup, opening a new Codespace feels identical to opening a terminal on your laptop. Your aliases work. Your Git commits have the right identity. Your editor looks and behaves the way you expect. And every secret is encrypted in transit and at rest.

No more "let me set up my environment" when switching to Codespaces. No more plaintext dotfiles repos with secrets stripped out. Just your full development environment, everywhere.