Best practice for deploying encrypted .env files to Vapor via GitHub Actions?

Why do you need to encrypt the .env file ? By default it is inaccessible.

@evan-55 Please use actual environment variables: https://docs.vapor.build/projects/environments#environment-variables

@martinbean what do you mean actual environment variables? I've used up the 2000 character limit in the Vapor dashboard, so I'm unable to add more variables through this method, and therefore have had to resort to an encrypted file on top of the dashboard's .env file.

Due to AWS Lambda limitations, your environment variables may only be 4kb in total. To accommodate Vapor’s own injection of environment variables, users are limited to 2,000 characters of environment variables. You should use encrypted environment files in place of or in addition to environment variables if you exceed this limit.

@evan-55 If that’s the case, then you can commit the encrypted .env file to your repository. Just so long as you don’t also encrypt the actual decryption key as well. If someone does get access to your repository, then they just have the encrypted file’s contents and can’t read the original contents.

You’ll then need to set your encryption key as a secret in your repository (https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository). Your GitHub Actions workflow can then use the key to decrypt the encryption .env file just like you would when deploying or whatever.

@martinbean makes sense, thanks very much!