if it’s included in the app it should not be a secret, anything that you can access in your client code can be easily extracted by unpacking your apk and searching through the bundle. EAS secrets are intended for credentials that do not land inside the app e.g. API key to upload source maps to sentry, everything else can be committed inside a repo
If you want to have some secrets that depend on certain condition then creating separate envs is the easiest approach, but if there is a lot values like that I would probably keep that encrypted in repo and pass git crypt key via eas secrets
Thanks for the response @wkozyra. Yes these are secrets. Things we don’t want in our git repo or the app itself.
For local development we use a .env file, and for testing binaries we’ve been using the Secrets section of expo.dev, but now we need to cut a production release that has different credentials/“secrets”. But, we want to keep being able to build binaries for testing. Hence the need for both sets of secrets in the EAS settings.
When you say “creating separate envs” do you mean like I described in the question or something else?
* Putting an encrypted file in the repo and using a secret to decrypt is interesting. I haven't seen/heard of that. Will look it up.