I think if you search through the threads here, you’ll see a bunch of people asking for help with getting their env vars during build time. I run a couple of apps that don’t get too much traffic and the last thing I want to do is manually have to define env vars in a bunch of different places like this:
RUN --mount=type=secret,id=MY_SUPER_SECRET \
MY_SUPER_SECRET="$(cat /run/secrets/MY_SUPER_SECRET)" some_command \
&& more_commands_maybe
I did also see this: Build Secrets · Fly Docs but it is relatively confusing and the instructions are incomplete, suggesting you use fly console for deployment
Here is my (and probably many others) ideal flow:
- Define env vars in infisical
- Sync them to fly.io
- Run
fly deployand everything works automatically
That’s how it works with Vercel. That’s also how it works with coolify. Railway is half a step better but you still have to manually define ARG: Build from a Dockerfile | Railway Docs
I understand the security problems with automatically injecting all secrets into the build stage, which is why my suggestion is to have a checkbox that defines if its runtime only or also injected in the build time. Most people using Next.js or any other static builder can then check that box or configure Infisical to sync secrets with or without that checkbox ticked
EDIT: I wrote a post about how I deploy to Fly: The Best Way to Deploy Next.js to Fly.io - ludicrous