-
-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add post-create support for env
key in app.json
#4498
Comments
Since the formation key will update on every deploy, should this also run on every deploy? That will also differ from heroku, but I think that's fine? |
Thinking about this more, while it would be nice, since the secrets aren't actually secrets, this will expose folks to doing not secure things (like putting credentials in plaintext). Going to close for now, but if folks want this, maybe I can be dissuaded. |
Just ran into this, can't deploy from scratch cuz of missing env:
I think it's a good idea since it reduces friction and just makes things easier. |
How would this work? Would it only apply for the first deploy? Should we support bare values as well? I'm concerned this will lead to folks exposing unencrypted credentials in repositories because it is easier to setup on first pass, which is just bad practice. |
Yeah, just the first deploy. This is what I'm pushing: https://github.com/mastodon/mastodon/blob/main/app.json I'd say yes to bare values cuz of this:
People check secrets into git repos all the time even though they shouldn't. It's widely known to be bad practice, so that's on them. I don't think adding this this encourages it more than anything else. It's also a problem with .env files, CI scripts, etc. |
Just because they can doesn't mean we should allow it as well :D Is this something you'd be interested in working on or sponsoring? |
I'm sponsoring as @soapbox-pub Just upped it to $50 🙂 |
What should we do when there is a required key but there is no default value? |
As an example, your app above has |
Probably nothing, the app should crash on its own if it's really required. Displaying a warning is a nice-to-have. I think it would be annoying to block the deployment outright, especially for apps that maybe used to work before. |
Seems reasonable, and something we can probably do for the next minor. |
The
app.json
manifest has a way to specify environment variables on start. We should support this.secret
generator: https://devcenter.heroku.com/articles/app-json-schema#envRefs #2269
The text was updated successfully, but these errors were encountered: