How to handle environment variables in a React/Node.js project for production?

[Hariharasudhandev]

🏷️ Discussion Type

Question

Body

Hi everyone,

I'm building a taxi booking application (Namma-Ooru-Taxi) and I'm currently using a .env file to store my API keys and database URLs.

I’m worried about security when I deploy this to GitHub. Should I commit my .env file to the repository? If not, what is the best practice for managing these secrets during a GitHub Actions deployment?

Any help with the best workflow for this would be appreciated!

Guidelines

• I have read and understood this category's guidelines before making this post.

[hectorr-st]

Hi there, please never commit your .env file to github, but add it to .gitignore immediately, and if you've already pushed it, rotate every key in it right away. For github actions, go to Settings -> Secrets and variables -> Actions and add each secret individually.

[mahmoudnajmeh]

Never commit .env to GitHub. Add it to .gitignore. If pushed, rotate all secrets immediately.

For GitHub Actions, store secrets in Settings → Secrets and variables → Actions.

Better than just adding them individually:

Use GitHub Environments (dev/staging/prod) with separate secret sets.

Reference as ${{ secrets.KEY }} in your workflow.

Add a .env.example file to your repo so others know what's needed.

[hectorr-st]

Hey mahmoudnajmeh,

I think there is some misunderstanding.
Actually, we're saying the same thing, my answer already covered both points you raised: never commit the .env file, add it to .gitignore, and rotate keys immediately if it was ever pushed.

If anything, my answer went a step further by also including github actions secrets setup, deployment server best practices, and per environment key separation.
Thanks

[mahmoudnajmeh]

Hi hectorr-st,
You didn't cover GitHub Environments or .env.example. Those are my additions. Your answer just said 'add each secret individually', that's not the same as showing how to separate dev/staging/prod with Environments.

[icaroccaetano]

Hey, you should never commit your .env file, this file is to save your secret keys, passwords, any type of information that cant be public.

You must always put .env in .gitignore. It stays only in your pc to test the app.

Furthermore, when you put your application online, there are many ways to use this keys online without making them public, like Environment Variables on vercel or AWS Secrets Manager.