dwyl/env2

Best practice for .env files with travis continuous deployment

Closed this issue · 4 comments

nathang21 commented

Currently I am using travis's repository environment variables, and these work perfect for the build process. However, upon trying to deploy (to app engine managed vm's in my case) those are not carried over. I see everywhere people suggesting to use a .env file or similar methods to store them. This makes sense for local, but if I want them to be available for deployment what is the best method?

I have one idea, but not sure how secure or ideal it is.
Basically since I don't want my .env on a public git repository, I have it added to my .gitignore. However, this means when a travis build triggers, there will be no .env cloned into the build enforcement. However, in theory I could put all my env's on the travis repository settings, and then as part of the travis script before deployment, copy those values and generate a .env file each build that will be deployed (of course making sure not to display them in the build output). This way no one would have access (I think) and I could manage all my variables from the Travis web interface.

Concerns:

  1. Not sure how to go about accessing them, but I found this regarding travis access token which seems like it would work. (https://github.com/travis-ci/travis.rb#build-environment-variables)
  2. Assuming I can access them, what is the best way to output them to a temp file securely.

Thank you

nathang21 commented

Just thought of this as well as another potential solution. Maybe I should add it to my git repository (not ignored) but encrypt it using this, and simply decrypt it during my build process similar to my client-secret-json.
https://github.com/travis-ci/travis.rb#encrypt-file

The only downside I see, is anytime I want to make a change to my environment variables, I will need to re-do the encryption step.

nelsonic commented

@nathang21 yes, encryption is the way to go for Travis. 👍

  • 👍1
nathang21 commented

@nelsonic Agreed. Thanks, I guess I would just need to get a good encryption workflow down.

bkuhl commented

An approach that I'm trying to get functional is to take a .env.example and then use sed to replace the values of that file. Essentially it'd looking something like this:

  - cp .env.example .env
  # pass environment variables in travis to the app
  - sed -ri 's/^MY_ENV_VAR=/MY_ENV_VAR=\$MY_ENV_VAR/' .env

While this used to work, something has changed in the past 6 months with Travis and this implementation appears to no longer be functional. I have an open question on SO to help me debug it: https://stackoverflow.com/questions/43839065/trouble-using-sed-to-replace-contents-of-coveralls-yml-configuration-in-travis