Asked

What do you use for managing creds for .env files?


Indie Maker


👋 Hi, I'm Sasha, an open-source writer, indie maker, and serial strugglepreneur. Made @date_fns 𝗑 @chirrapp 𝗑 http://backupfire.dev

direnv

Tweets on building in public. I'm experimenting with daily tweets on #BuildInPublic for April-May 2021 and sharing my learnings

Is the direnv used for development envrionments on laptop? or also for production environments on linux VPS servers?

Another vote for direnv 👆only in development though - on production I usually use a PaaS (Heroku, Netlify etc).

Tweets on building in public. I'm experimenting with daily tweets on #BuildInPublic for April-May 2021 and sharing my learnings

Not sure you meant by "managing creds", I'm looking at storing codebase specific env variables for production on github secrets at the repo level.

Then somehow use github actions to deploy and re-create the .env file for production environments

UPDATE:

I wrote up of my current approach as a SO answer to my own question.

Reproduced below:

I realized I should have fleshed out the whole target scenario more explicitly in terms of hard requirements.

Target scenario: how to deploy from GitHub to a Ubuntu VPS

Hard requirements

Must use:

  • Github Actions
  • Ubuntu LTS VPS (I use DigitalOcean)

Must see:

  • the codebase on the VPS be updated to latest main branch
  • there is a new .env file in the project path on the VPS

Approaches

I discover 2 general approaches.

Approach 1. multiple actions + rsync method

Outline:
1. checkout action then rsync to update codebase
2. create-envfile then rsync

This approach uses mixture of GitHub Actions. Namely, checkout and create-envfile

Approach 2. ssh-action with bash script + git clone method

  1. ssh-action then
    1. git clone using bash script to update codebase
    2. create envfile using bash script

This approach uses 1 GitHub Action but it needs more bash scripting

I chose approach 2 because git clone is superior to rsync.

This is my ci.yml

name: Deploy via SSH
on: [workflow_dispatch]
jobs:
  deploy:
    name: Deploy
    runs-on: ubuntu-latest
    steps:
    - name: Deploy via SSH
      uses: appleboy/[email protected]
      with:
        host: ${{ secrets.SSH_HOST }}
        username: ${{ secrets.SSH_USERNAME }}
        key: ${{ secrets.SSH_KEY }}
        script: |
          # git update to latest codebase on main branch
          cd /path/to/project && git pull
          # updating the .env file
          cat <<EOF > ${{ secrets.ENVFILE_PATH }}
          # start of envfile
          DJANGO_SECRET_KEY=${{ secrets.ENVFILE_DJANGO_SECRET_KEY }}
          # end of envfile
          EOF
          # see end result of envfile
          ls -l ${{ secrets.ENVFILE_PATH }}

As for how to save the secrets to your GitHub repo for SSH access, please check this article

Note: the cloudflare was overzealous in hiding the repo and branch name which uses the @ symbol. So best to go read the SO answer to see the full response

building failing products until one of them doesn't fail

I guess this is particular to my setup, but since I'm using vercel on the front end for nextjs I just do it on their website. This is great if your website is all static.

server side I usually just use an ec2 instance. On there I usually use systemd unit file to run my server. In the unit file I put all my env. variables. But in code I just use dotenv github.com/motdotla/dotenv

🤔 learning/devtools/productivity products. Can offer help with: Coding/JS/CSS. Could use with help with: finding customers, building an audience 😅

👋 Join WIP to participate