I'm actually surprised that I couldn't google up tons of blog posts about this, there are some threads on Netlify forum, but I expected "I need to bring my configs to production and don't want to commit them to the public github repo" to be a common use case.
Some solutions I've thought up so far:
implement a custom build step on Netlify which would run curl https://my-secret-url/env.production?token=supersecrettoken >.env (I don't like this, exposing secrets via GET request, even with a secret url; is... well, technically it's ok, but feels hacky and risky; also, there's a question of where to host it).
the same solution with fetching secrets on build, but with an external secrets provider such as AWS Secrets Manager; this would add an extra dependency.
we could move all platform cookies to the database and keep a tiny enough env file; technically only DIGITALOCEAN_POSTGRES could be secret and everything else we could store in the DB or commit to the repo.
I think it might also possible to deploy to netlify through the github actions; I don't have any experience with github actions, though, and not sure (my CI/CD experience is on gitlab, which is somewhat different); I expect this to be a viable route, but too complicated compared to the current "netlify pulls everything with zero configuration" approach.
Out of all these, I think (3) is the best route.
Especially since we might like to store cookies in the DB for other reasons anyway. For example, if some platform has some short-lived cookies then we'll want to store login+password in the configuration, and a cookie somewhere else.
As I mentioned in https://github.com/QURIresearch/metaforecast/pull/8#issuecomment-1079782140, there's an issue with using env variables as a source of configuration: AWS Lambda doesn't allow env larger than 4kb.
The same issue would follow us on Vercel, and their workaround article on this is too hacky.
I'm actually surprised that I couldn't google up tons of blog posts about this, there are some threads on Netlify forum, but I expected "I need to bring my configs to production and don't want to commit them to the public github repo" to be a common use case.
Some solutions I've thought up so far:
curl https://my-secret-url/env.production?token=supersecrettoken >.env(I don't like this, exposing secrets via GET request, even with a secret url; is... well, technically it's ok, but feels hacky and risky; also, there's a question of where to host it).DIGITALOCEAN_POSTGREScould be secret and everything else we could store in the DB or commit to the repo.Out of all these, I think (3) is the best route.
Especially since we might like to store cookies in the DB for other reasons anyway. For example, if some platform has some short-lived cookies then we'll want to store login+password in the configuration, and a cookie somewhere else.