Closed florian-lefebvre closed 2 months ago
Latest commit: 72ec674984e0c4f9fd8fa69684c341a80b4f29c2
The changes in this PR will be included in the next version bump.
Not sure what this means? Click here to learn what changesets are.
Click here if you're a maintainer who wants to add another changeset to this PR
@florian-lefebvre re: naming -- I don't have a problem with the name, as it's clear! Chris might also be a good person to ask!
Excellent summary!
Does this option mean runtime errors for on-demand rendered requests can no longer happen? Or even if you check secrets are present during a build, can they still be missing in the final on-demand server context?
I don't think so. Technically, you could update a secret between a build and the deployment.
Also, something I've been thinking about having start
in the option name: some people could think it means they are validated when the production servers starts, which is not the case
Thanks for confirming @florian-lefebvre! OK, so given your answer, I’m wondering a bit who this new option is intended to help?
In dev and static builds (points 4 & 5 in my summary), this option means they can fail fast, so failures happen quicker but the builds would have failed anyway eventually.
In production builds with on-demand rendering (point 6), this option does the same, but provides no protection on deployment for the reasons you mention.
So is a separate option needed to just move when in the process the failure happens? What was the user request that led to this? It feels like the more important failure to protect against would be in the production environment, but this is not adding extra protection there.
If the option does seem valuable, maybe even something like env.failFast
or similar could be an idea for naming? Although not sure it does much to explain the when.
fyi that's a feature i had in astro-env
and that saved me quite a few times. A common thing is you add a new required secret var, you make a PR and you forget to add it to your host (and ofc it crashes once in prod). This feature allows to fail early.
I agree that the issue is to convey the "when" 😅
that's a feature i had in
astro-env
You mean this PR? Or the behaviour I was describing?
I still think answering “What was the user request that led to this PR?” would help naming if you could try!
I mean this behavior was in the now deprecated astro-env
integration that led to astro:env
. I think the user request is: I want my build to fail if any variable (public or secret) is not valid. I don't want to discover it at runtime
I want my build to fail if any variable (public or secret) is not valid. I don't want to discover it at runtime
Isn’t that already the case?
Based on my summary above the only case where currently it won’t fail during a build is:
And you said above that this PR won’t change that part — on-demand SSR can still fail at runtime because it runs in a different environment from the build.
yes but some hosts expose the same secrets on both build and runtime (eg. netlify) so that's why it's interesting imo. Basically
Idk if that clarifies anything
Thanks, yeah that confirms what I suspected:
OK, last question (thanks for your patience 😅):
Does “validation” already only happen at “start”?
In other words: public variables get validated at dev/build start, but private variables are not ever currently “validated”, they just fail at runtime?
If that’s the case, maybe this option just gets simplified to
env: {
validateSecrets: true,
}
Thanks for all the questions that's always great! Yeah I think I like your idea
Nice! OK, then that concludes my questions — thanks again for going through them all 🙌
Changes
experimental.env.validateSecrets
flag. It checks secrets onbuildStart
(dev and build, maybe more?)Testing
Adds a test
Docs
Updates config reference and adds changeset