I am a little confused on how to securely handle secrets and variables in my CI/CD workflow.
Setup: I deploy my express app to my VPS where I run it in a docker container and I need the variables to be available in that container.
Currently I am writing them into a .env file and setting that file as the env_file in docker-compose.yml, but it's probably not a very secure way of doing it, since then there would be a .env file on the server with plain text secrets... is there a better way (best pratice)?
Also the .env file wont be created like this. I had to manually create it on the server, wouldn't echo create the file if its not already there?
- name: Execute remote deployment script
uses: appleboy/[email protected]
with:
HOST: ${{ secrets.HOST }}
USERNAME: ${{ secrets.USERNAME }}
PORT: ${{ secrets.PORT }}
KEY: ${{ secrets.SSH_KEY }}
script: |
# Change directory to the app folder
cd /usr/src/app/
# install dependencies
npm ci --omit=dev
# Stop and remove running containers
docker-compose -f docker-compose.prod.yml down
# Set environment variables stored in Github secrets
echo "VITE_API_URL=${{ secrets.VITE_API_URL }}" > .env
echo "DATABASE_URL=${{ secrets.DATABASE_URL }}" >> .env
echo "SECRET_KEY=${{ secrets.SECRET_KEY }}" >> .env
echo "REFRESH_SECRET_KEY=${{ secrets.REFRESH_SECRET_KEY }}" >> .env
# start container and detach
docker-compose -f docker-compose.prod.yml up -d