Environment Variables & Secrets
Graft provides a flexible way to manage environment variables and secrets by automatically filtering and applying .env files based on your active deployment environment.
Naming Conventions
Section titled “Naming Conventions”Graft looks for environment files in your project root or specified paths and maps them to environments based on their suffix.
| File Pattern | Usage |
|---|---|
.env | Primary configuration (often used for main or production). |
.env.dev | Applied when using the dev environment (graft env dev ...). |
.env.staging | Applied when using the staging environment. |
.env.<name> | Applied when using the environment named <name>. |
Configuration in graft-compose.yml
Section titled “Configuration in graft-compose.yml”You can specify your environment files in the env_file section of your graft-compose.yml. Graft will automatically select the correct file based on the environment you are targeting.
# example graft-compose.ymlservices: web: image: my-app env_file: - .env # Used for main/production env - path/.env.prod # Used for main/production env - path/.env.dev # Used for development environment - path/.env.name # Used for the environment named 'name'How it Works
Section titled “How it Works”When you run a command like graft env dev sync, Graft:
- Identifies that you are targeting the
devenvironment. - Filters the
env_filelist to find files matching.env.dev. - Merges these variables with the base configuration.
- Securely pushes the resulting environment to the remote server.
Secrets Management
Section titled “Secrets Management”Graft treats all variables in your .env files as secrets. When you perform a graft sync, these variables are:
- Never committed to your repository (ensure they are in
.gitignore). - Encrypted during transit.
- Stored securely on the remote server, accessible only to your Docker containers.
[!IMPORTANT] Always add your
.envfiles to.gitignoreto prevent sensitive credentials from leaking into your source control.