Setting multiple secrets with cli command can trigger too many deployments

[spakanati]

After the cli added a set secret command, we've been using it to update secrets using scripts. However, since the command triggers a deploy each time a secret is set, if you update many secrets in a row the deployments can trigger ten or even hundreds of times depending on how many secrets you have to update. Based on discord discussion, options could be to add some type of bulk update command or flag, or to wait and dedupe the deployments.

[dbarrosop]

quick question, you mention you do it in bulk, are you managing ALL of your secrets at once or only a subset? I am mostly wondering if we should add a replaceSecrets mutation that takes a list of secrets and ensures only these secrets/values are set (i.e. by removing secrets not present in this list) or adding an updateManySecrets that requires you to explicitly unset secrets you don't need anymore (i.e. by setting them to an empty value). Maybe both are useful under different situations, just wondering which one would work better for you.

[spakanati]

In practice, we do usually replace all our secrets at once, but I think updateManySecrets might be better and also safer because that way you'd be able to update subsets if needed without accidentally deleting other secrets. We're less in need of a bulk way to delete old secrets because it's not a common task, and it's not that hard to go clean up unused secrets manually.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.