0

I have struggled with how to write this so please bear with me. Ill try and be as clear as possible: Setup:

  • Github repo with 3 branches (Master/Development/Staging)
  • Each branch has a unique dotenv file
  • Repo has VueJS code (but could also be laravel)

Now, using GitHub Actions, we deploy to a different domain based on the branch.

What I cant solve is how best to handle the different dotenv files. During build, dotenv is used to build the final product. IDEALLY I would like to keep as much of the env file contents in a GitHub Secret for obvious reasons, but I am not sure if this is possible. The other option is to have 3 dotenv files based on the branch but that just adds complexity and confusion around keeping them all in sync.

What is the best way to handle this so each deploy gets the right settings inside the dotenv file?

ArcticMediaRyan
  • 687
  • 8
  • 32
  • Have you considered encrypting the whole dotenv file and using a secret to decrypt it during the workflow, as per [Limits for secrets](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#limits-for-secrets)? – Benjamin W. Aug 12 '20 at 22:15
  • @BenjaminW OMG you rock!! can you turn this into the official answer please so I can upvote it... This is PERFECT!!! – ArcticMediaRyan Aug 12 '20 at 22:25
  • This seems like an odd scenario, .env files should generally not be commited to a repository, they should exist and be managed on each environment separately. You have said "During build, dotenv is used to build the final product." So maybe you have some good use case for this. May I ask what it is? – Kurt Friars Aug 13 '20 at 00:05
  • Yeah, so on git commit, Github Actions runs the commands to build the app/site, and when done deploys it to its location (in this case S3 static website hosting). So using the above mentioned system, I can keep it out of the repo, and use the env file to deploy / serve the code. – ArcticMediaRyan Aug 13 '20 at 03:26

1 Answers1

1

Disclaimer: I have no clue about best practices for dotenv.

If you have a secret that's larger than the allowed 64 KB, you can follow the instructions for Limits for secrets, roughly this:

  • Encrypt your secret:

    gpg --symmetric --cipher-algo AES256 .env

  • Store the passphrase as a secret, for example LARGE_SECRET_PASSPHRASE

  • Add the encrypted file to the repository, for example as .env.gpg

  • To decrypt in a workflow, run something like

    run: |
  gpg --quiet --batch --yes --decrypt \
      --passphrase=${{ secrets.LARGE_SECRET_PASSPHRASE }} \
      --output .env .env.gpg
Benjamin W.
  • 46,058
  • 19
  • 106
  • 116