2

I'm using React and firebase. I have a .env file with my secrets stored at the root of my project.

How can I access the .env file in the GitHub workflow yml file.

How should I proceed as best practice?

tadman
  • 208,517
  • 23
  • 234
  • 262
Tarun Singh
  • 430
  • 8
  • 18

2 Answers2

1

DO NOT DO THIS

Checking that into your GitHub project is a super bad idea. Added emphasis there because once keys are in your git repository you're basically in huge trouble and it is a massive hassle to undo. You never, ever want to commit keys to your repository. Just don't.1

Instead what you need to do is make use of GitHub Secrets either at your organization/personal level, where they can apply to your projects by default, or per-project. These can be used within GitHub actions as things like:

${{ secrets.SECRET_NAME }}

Where those will be substituted based on the secret value.

GitHub Secrets are like a secure2 version of your .env file variables.

1 You may think having a private repository protects you here, but it may not. Other team members may download this and inadvertently push it somewhere else. You may open-source it later without realizing. Mistakes happen because you assumed you'd never expose these keys.

2 Of course these are only as secure as GitHub is, and they could be exposed by someone with a sufficiently high level of access even if GitHub makes it difficult to see them casually.

tadman
  • 208,517
  • 23
  • 234
  • 262
  • Thank you for your answer. I added my `.env file` secrets into GitHub secrets and named it `REACT_APP_API_KEY`. Here is my `.yml` file [.yml](https://pastebin.com/3hC3kRAZ). But I ran into the same issue I describe in the earlier question I asked [auth/invalid-api-key](https://stackoverflow.com/questions/66231107/firebase-hosting-and-github-action-error-auth-invalid-api-key) – Tarun Singh Feb 17 '21 at 09:08
  • You should split out the individual environment variables as different secrets, but I guess you can stuff the whole thing in there, too. – tadman Feb 17 '21 at 09:44
1

You should never commit a .env files with secret key.

For this, you can use GitHub encrypted secrets.

Arthur Desutter
  • 21
  • 2
  • Thank you for your response. But I ran into the same issue as described [here](https://stackoverflow.com/questions/66231107/firebase-hosting-and-github-action-error-auth-invalid-api-key). You can find my [.yml](https://pastebin.com/3hC3kRAZ) if required. – Tarun Singh Feb 17 '21 at 09:12
  • 2
    Also, I do not commit my .env file to Github. Actually, I'm using Github actions to automatically build and deploy to firebase when a change is detected. But it seems Github actions is not provided my secrets that's why when I visit the hosted URL It gives me an error saying `Your API key is invalid, please check you have copied it correctly.` – Tarun Singh Feb 17 '21 at 09:17