I have struggled with how to write this so please bear with me. Ill try and be as clear as possible: Setup:
Now, using GitHub Actions, we deploy to a different domain based on the branch.
What I cant solve is how best to handle the different dotenv files. During build, dotenv is used to build the final product. IDEALLY I would like to keep as much of the env file contents in a GitHub Secret for obvious reasons, but I am not sure if this is possible. The other option is to have 3 dotenv files based on the branch but that just adds complexity and confusion around keeping them all in sync.
What is the best way to handle this so each deploy gets the right settings inside the dotenv file?
Disclaimer: I have no clue about best practices for dotenv.
If you have a secret that's larger than the allowed 64 KB, you can follow the instructions for Limits for secrets, roughly this:
Encrypt your secret:
gpg --symmetric --cipher-algo AES256 .env
Store the passphrase as a secret, for example LARGE_SECRET_PASSPHRASE
Add the encrypted file to the repository, for example as .env.gpg
To decrypt in a workflow, run something like
run: |
gpg --quiet --batch --yes --decrypt \
--passphrase=${{ secrets.LARGE_SECRET_PASSPHRASE }} \
--output .env .env.gpg