-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ignore .env
and .env.build
for deployments by default
#2083
Conversation
Because `now dev` uses these dotenv files to define the Now secrets to use, it would be bad practice to include them in the deployment files since they will be using development values instead of production values.
Codecov Report
@@ Coverage Diff @@
## canary #2083 +/- ##
=========================================
- Coverage 4.63% 4.49% -0.14%
=========================================
Files 243 243
Lines 8572 8572
Branches 873 873
=========================================
- Hits 397 385 -12
- Misses 8158 8170 +12
Partials 17 17
Continue to review full report at Codecov.
|
Because `now dev` uses these dotenv files to define the Now secrets to use, it would be bad practice to include them in the deployment files since they will be using development values instead of production values.
This is a breaking change for us. |
@antmarot We marked the release that includes this change a patch release because uploading As defined in dotenv (the creator of Please use secrets instead, which will encrypt your secrets upon upload. |
@leo Thanks for your reply. I totally understand the reason behind the change and I am convinced it was the necessary thing to do. I would however argue this is a breaking change though. While dotenv strongly recommends against committing .env files, I don't think their use in production is considered bad practice. In my opinion, the question is more about how do you securely get that file there. Anyway, my use case is not about secrets, but configuration values. I purposefully do not use the If there is no flag or config to override the ignored |
@antmarot I understand. In that case, you can use the |
@leo Thanks for the headups. I must have searched through a dozen comments before finding this. This should be perhaps included in the docs. Just to be clear, assuming I have .env file && .env.build in the root of a monorepo setup: |
Because
now dev
uses these dotenv files to define the Now secrets to use, it would be bad practice to include them in the deployment files since they will be using development values instead of production values.