In the newest version of eas submit, I need to provide information in eas.json I previously let my CI inject, so I wouldn’t have “sensitive” information in my repo.
Example of a command run by my CI: EXPO_APPLE_APP_SPECIFIC_PASSWORD=$(EXPO_APPLE_APP_SPECIFIC_PASSWORD) eas submit -p ios --latest --apple-id=$(APPLE_USERNAME) --asc-app-id=$(APP_APPLE_ID) --sku=$(SKU)
service file does not need to be checked into repo(just path to the file), also you can use envs there
e.g. serviceAccountKeyPath: '$GOOGLE_SERVICE_ACCOUNT_PATH', it’s supported just for that field
as far as I remember eas-cli does not require eas.json to be in repo, but it’s not the workflow we are supporting/testing against. I don’t think any of those values are sensitive, but if you want you can always encrypt that file with git crypt, but if it’s not a public repo I think it’s unnecessary
Great, I will try environment variable in serviceAccountKeyPath and mark your suggestions as solution.
Here is some feedback / my thoughts
I’m not sure about the how sensitive the other values are either. I would just like be able to separate my app code from operations related stuff and I feel like eas.json pushes me more and more towards leaking information related to operations into my app code / repo. Even though this information might not be super sensitive I don’t have much freedom, if I want to use expo’s services.
Some of these could maybe be solved using git crypt. But eas.json also makes it harder to deal with dynamic values, such as release channels and build numbers. Now I have to check these in. Before, my CI could auto-increment build numbers, create release channels based on version etc.
you should use runtimeVersion instead of releaseChannel if you want it to be dynamic. runtimeVersion lives in app.config.js. Runtime Versions - Expo Documentation
the same applies for build numbers - these live in app.config.js.