Behavior of `recursive` flag and exported environment variable naming

[knobel-dk]

Hi team

Thanks for the great work on this GitHub Action — it's been really useful to our team.

While working with the recursive flag, I ran into a bit of ambiguity that I hope you can help clarify. Specifically, I’m unsure how secret keys are exported when they come from nested folders and recursive is enabled.

Example scenario

Given the following secrets structure in Infisical:

/
└── prod/
    └── db/
        ├── username = “admin”
        └── password = “supersecret”

And the following action input:

with:
  method: "universal"
  client-id: ${{ secrets.INFISICAL_CLIENT_ID }}
  client-secret: ${{ secrets.INFISICAL_CLIENT_SECRET }}
  env-slug: "prod"
  project-slug: "my-project"
  recursive: true

• What are the expected exported environment variable names in this case?
  • Are they exported as-is (e.g. db/username)?
  • Or are they sanitized to be shell-safe (e.g. DB_USERNAME)?
• If the secret key contains characters like /, ., or -, how is that handled?
  • Are they preserved, replaced, or removed?
  • Does the GitHub Action normalize them automatically, or is it up to the user?
• Would it be possible to include an example output in the documentation, showing:
  • A nested secret path structure
  • The corresponding exported variables (with recursive: true)
  • What happens when recursive: false

Thanks again for the great work — just looking for clarity so that we can integrate this more safely.

Happy to contribute improvements to the docs once this is clarified!

Best,

Jacob