What do you use for managing creds for .env files?


Is the direnv used for development envrionments on laptop? or also for production environments on linux VPS servers?

Another vote for direnv 👆only in development though - on production I usually use a PaaS (Heroku, Netlify etc).

Not sure you meant by "managing creds", I'm looking at storing codebase specific env variables for production on github secrets at the repo level.

Then somehow use github actions to deploy and re-create the .env file for production environments


I wrote up of my current approach as a SO answer to my own question.

Reproduced below:

I realized I should have fleshed out the whole target scenario more explicitly in terms of hard requirements.

Target scenario: how to deploy from GitHub to a Ubuntu VPS

Hard requirements

Must use:

  • Github Actions
  • Ubuntu LTS VPS (I use DigitalOcean)

Must see:

  • the codebase on the VPS be updated to latest main branch
  • there is a new .env file in the project path on the VPS


I discover 2 general approaches.

Approach 1. multiple actions + rsync method

1. checkout action then rsync to update codebase
2. create-envfile then rsync

This approach uses mixture of GitHub Actions. Namely, checkout and create-envfile

Approach 2. ssh-action with bash script + git clone method

  1. ssh-action then
    1. git clone using bash script to update codebase
    2. create envfile using bash script

This approach uses 1 GitHub Action but it needs more bash scripting

I chose approach 2 because git clone is superior to rsync.

This is my ci.yml

name: Deploy via SSH
on: [workflow_dispatch]
    name: Deploy
    runs-on: ubuntu-latest
    - name: Deploy via SSH
      uses: appleboy/[email protected]
        host: ${{ secrets.SSH_HOST }}
        username: ${{ secrets.SSH_USERNAME }}
        key: ${{ secrets.SSH_KEY }}
        script: |
          # git update to latest codebase on main branch
          cd /path/to/project && git pull
          # updating the .env file
          cat <<EOF > ${{ secrets.ENVFILE_PATH }}
          # start of envfile
          # end of envfile
          # see end result of envfile
          ls -l ${{ secrets.ENVFILE_PATH }}

As for how to save the secrets to your GitHub repo for SSH access, please check this article

Note: the cloudflare was overzealous in hiding the repo and branch name which uses the @ symbol. So best to go read the SO answer to see the full response

Thank you for sharing KimSia :)

I guess this is particular to my setup, but since I'm using vercel on the front end for nextjs I just do it on their website. This is great if your website is all static.

server side I usually just use an ec2 instance. On there I usually use systemd unit file to run my server. In the unit file I put all my env. variables. But in code I just use dotenv


Django Environ is fabulous in production. We can place the .env file anywhere. And no other setup is needed. The env file is picked by Django through

There is also…. This can be helpful if you have a Python project but not Django specific.

thanks for providing both django and python specific

👋 Join WIP to participate