A demonstration project showing how Ona Project secrets work with devcontainer builds, highlighting the security distinction between build-time and runtime secret availability.
This project demonstrates Ona's secure secret handling in devcontainer environments:
- β Build Time: Secrets are NOT available (security feature)
- β Runtime: Secrets are injected by Ona into the running environment
- β Security: Secrets never become part of Docker image layers
- Click the "Run in Ona" button above to open this project in Ona
- Add a project secret:
- Go to Project Settings β Environment Variables
- Add
MY_PRIVATE_SECRETwith any demo value (e.g., "my-demo-secret-123")
- Rebuild the devcontainer:
gitpod environment devcontainer rebuild
- Watch the demo - you'll see the secret behavior during build and runtime!
- During build: Secret is empty (shown in build logs)
- At startup: Fancy banner displays and demo runs automatically
- Runtime: Secret is available and demo shows the comparison
Ona Project secrets are injected at RUNTIME, not build time.
This is a security best practice that:
- Prevents secrets from being baked into Docker image layers
- Ensures secrets are only available when the application needs them
- Follows industry standards for secure container secret handling