github actions multiple dotenv files

I have struggled with how to write this so please bear with me. Ill try and be as clear as possible: Setup:

  • Github repo with 3 branches (Master/Development/Staging)
  • Each branch has a unique dotenv file
  • Repo has VueJS code (but could also be laravel)

Now, using GitHub Actions, we deploy to a different domain based on the branch.

What I cant solve is how best to handle the different dotenv files. During build, dotenv is used to build the final product. IDEALLY I would like to keep as much of the env file contents in a GitHub Secret for obvious reasons, but I am not sure if this is possible. The other option is to have 3 dotenv files based on the branch but that just adds complexity and confusion around keeping them all in sync.

What is the best way to handle this so each deploy gets the right settings inside the dotenv file?

1 answer

  • answered 2020-08-13 15:06 Benjamin W.

    Disclaimer: I have no clue about best practices for dotenv.

    If you have a secret that's larger than the allowed 64 KB, you can follow the instructions for Limits for secrets, roughly this:

    • Encrypt your secret:

      gpg --symmetric --cipher-algo AES256 .env
      
    • Store the passphrase as a secret, for example LARGE_SECRET_PASSPHRASE

    • Add the encrypted file to the repository, for example as .env.gpg

    • To decrypt in a workflow, run something like

      run: |
        gpg --quiet --batch --yes --decrypt \
            --passphrase=${{ secrets.LARGE_SECRET_PASSPHRASE }} \
            --output .env .env.gpg