How to manage prod vs dev environment secrets?

What is the best way to handle production vs. development environmental variables regarding the Secrets stored in for Expo EAS builds?

Do you keep separate variables and then code in-app to choose?
in Secrets…

then in-app…

Is there a better approach?

if it’s included in the app it should not be a secret, anything that you can access in your client code can be easily extracted by unpacking your apk and searching through the bundle. EAS secrets are intended for credentials that do not land inside the app e.g. API key to upload source maps to sentry, everything else can be committed inside a repo

If you want to have some secrets that depend on certain condition then creating separate envs is the easiest approach, but if there is a lot values like that I would probably keep that encrypted in repo and pass git crypt key via eas secrets

1 Like

Thanks for the response @wkozyra. Yes these are secrets. Things we don’t want in our git repo or the app itself.

For local development we use a .env file, and for testing binaries we’ve been using the Secrets section of, but now we need to cut a production release that has different credentials/“secrets”. But, we want to keep being able to build binaries for testing. Hence the need for both sets of secrets in the EAS settings.

When you say “creating separate envs” do you mean like I described in the question or something else?

* Putting an encrypted file in the repo and using a secret to decrypt is interesting. I haven't seen/heard of that. Will look it up.

I think he’s referring to: GitHub - AGWA/git-crypt: Transparent file encryption in git
with a symmetric key