Use local environment variables rather than hub or secrets?

[mmynsted]

When I look in the documentation here -> https://docs.continue.dev/reference#config-yaml-reference
I see:

Local blocks utilizing mustache notation for secrets (${{ secrets.SECRET_NAME }}) can read secret values:

    globally, from a .env located in the global .continue folder (~/.continue/.env)
    per-workspace, from a .env file located at the root of the current workspace.

I have created a secret named OPENROUTER_KEY. I added it to ~/.continue/.env and then also to my local working directory's .env. It is never read.

I have attempted both

${{ secrets.OPENEROUTER_KEY }}

and

${{ inputs.OPENEROUTER_KEY }}

Here is an example from the documentation that is close to my config.yaml

name: myprofile/custom-model
models:
  - name: My Favorite Model
    provider: anthropic
    apiKey: ${{ inputs.ANTHROPIC_API_KEY }}
    defaultCompletionOptions:
      temperature: ${{ inputs.TEMP }}

I have also added OPENROUTER_KEY to the env directly using an Age - SOPS pipeline. I can see the variable when echo, but it does not get loaded to my ~/.continue/config.yaml.

My goal is to use environment variables for the keys using my Age - SOPS pipleline so that I have one mechanism for all AI tools using they same keys. I do not want to store the keys in the secrets or hub SaaS. What am I doing wrong? Maybe there is another way to debug this? I have messages showing in the developer console which does throw errors consistent with the OPENROUTER_KEY never being found/read.

I have reloaded the config many times. I have recycled VSCODE a number of times. My VSCODE and continue are the latest available.

[bdougie]

@mmynsted looking at your example. You need to add the model as well. Everything else should work as is.

name: myprofile/custom-model
models:
  - name: My Favorite Model
    provider: anthropic
    model: claude-sonnet-4-20250514 # this was missing in your example
    apiKey: ${{ inputs.ANTHROPIC_API_KEY }}
    defaultCompletionOptions:
      temperature: ${{ inputs.TEMP }}

Let me know if you are seeing these error messages below the extension (Assuming you are on VS Code)

Also put together a FAQ in this PR around it - #7209

[mmynsted]

Thank you it is working now. It was a scope issue.

When I decrypt the keys and store them in the shell globally, at shell start, then they are available to VS Code and so to continue.dev, because continue.dev finds them in the process's environment. To do what I was wanting, decrypt the values, just-in-time for Continue.dev I would need to modify (contribute) to the way continue.dev finds secrets and inputs on load. If I am correctly reading how this works. . .

I did not test more for why the ~/.continue/.env was not working for me, but I do not plan to use it that way anyway, until I sort out automated decryption with SOPS for continue.dev. (Which is what I think will require changes to how continue.dev finds and reads secrets.)