How to build an flutter app with Github Actions CI/CD whitout .env in the repository

Question

I have a Flutter app, and it's using the fastlane pipeline in GitHub Actions to automatically build and push my app to the Play Store. Currently the pipeline is failing.

The thing is that my app uses the dotenv library to load environment variables: In my pubspec.yaml:

flutter_dotenv: ^2.1.0 
...
assets:
     - .env

And this is my .env file:

BACKEND_URL=https://backend-example.com/api
API_KEY=value

And this is where I run into a problem running the pipeline.

Task :app:compileFlutterBuildRelease Error detected in pubspec.yaml: No file or variants found for asset: .env.

As the recommendations say that we should not upload the .env to the repository, I did not upload them and leave it in the .gitignore. So when the pipeline wants to build the app, it doesn't work for me because it can't find the .env file.

Is there any way or strategy to inject the environment variables that are listed in the .env, without leaving the values hardcoded in the repository? As you can see there are some sensitive values listed in the .env file

Answer 1

The answer by @jmathh is not safe either. GitHub Action Secrets on its own is safe, but by putting the data back into the .env file and baking it inside your app makes it available for anyone that downloads the app to see.

The only benefit you gain here is that nobody that has access to your repository can see the .env file.

What you need to remember is that:

• Everything that goes into the app can be read, anything. You can make it more difficult by obfuscating your app but even that does not make your app safe from people that want to reverse engineer your app.
• For a 100% safety, make your app as dumb as possible and let your backend do all the integrations with third parties. Your backend basically serves as a proxy.
• Some keys are designed to have a public API key, a few companies that do this are for example Stripe(1) and Firebase(2).

---

(1) "Can be publicly-accessible in your web or mobile app’s client-side code (such as checkout.js) to securely collect payment information such as with Stripe Elements. By default, Stripe Checkout securely collects payment information.". See: https://stripe.com/docs/keys

(2) "Secure your database and Cloud Storage data by using Firebase Security Rules, not by restricting and/or obscuring your API keys." https://firebase.google.com/docs/projects/api-keys

Answer 2

I'll prefix my answer with this: shipping a .env file like that means its entire contents will be available to anyone who downloads your app. Make sure you're ok with that.

You could store your values as Github Actions Secrets and create the file in a step before you run the build. Something like this:

jobs:
  build:
    runs-on: macos-latest
    steps:
      - name: Create .env file
        run: |
          cat > assets/.env <<EOF
          BACKEND_URL=${{ secrets.BACKEND_URL }}
          API_KEY=${{ secrets.API_KEY }}
          EOF