I’m using EAS Secrets and documentation says : Eas Update does support secrets. But on every update you need to manually send the secrets again.
example :
BASE_URL=https://example.com/ ANOTHER_VAR=somevalue eas update --branch production --message “some message”
So at the end what is the point to use Eas Secrets, if you need to manually put the secrets in clear in the update command.
Or if you do an update via a CI you will need to put all the secrets in github/gitlab too, or find another way to get your secrets. This feature need to work the same way on all the pipeline (build / update)
So is Eas Secrets useless via EAS Update or not ready yet ? or may be there is another way ?
So at the end what is the point to use Eas Secrets, if you need to manually put the secrets in clear in the update command.
EAS Secrets is for secrets, if you need sth for EAS Update it’s clearly not a secret because you are putting them in plain text in js bundle. You could just as well commit that into your repo at this point.
The other reason is that EAS Update creates a bundle on your local machine and we do not allow downloading secrets for security reasons (the same as any other CI I’m aware of). Secrets are only available inside our worker instances.
Thank you for your answer, but i’m confused when i do an EAS Update, all the vars injected by EAS Secrets in the previous build in process.env, are undefined.
So how i can still access to them after an update ? because i still need to access to these secrets, otherwise some services will not work (like GOOGLE_SERVICES need GOOGLE_SERVICES_JSON)
For example in my app.config.ts (this file is called by the EAS Build and EAS Update) :
“You could just as well commit that into your repo at this point” => yes i can with git crypt or other alternatives and decrypt file on CI before build or update.
do an EAS Update, all the vars injected by EAS Secrets in the previous build in process.env, are undefined.
If you rely on envs in app.config.js, whether it’s build or update you need to make sure that envs you need are specified in environment that you are building.
EAS secrets inject secrets as envs in a build environment on an EAS Build worker and that is it. It does not inject your env in your app, this is sth you are doing by specifying process.env.sth in your app.config.js.
So how i can still access to them after an update ?
If you rely on some values passed via extra field, you need to make sure that this value is populated whether you build or update. If you are using envs then you need to set those envs in your local shell when running an update.
I can’t use EAS Secrets in app.config.ts ? But EAS Secrets documentation say the oposite
You can, but most cases it does not make sense, it’s better to make it part of js code. EAS Secrets is inteded for stuff that are used during a build, but it’s not part of a bundle e.g. sentry key that is used to upload source maps(not the one that is used to report errors in an app).
yes i can with git crypt or other alternatives and decrypt file on CI before build or update.
yes, but you could also commit them in a plain text, they are already available unencrypted in a js bundle, unless your repo is public there is not harm in doing that.