Prod secrets file and CI

I’m putting together a CI script on gitlab for a small app that I have built and I have hit a stumbling block when it comes to creating a release.

The issue is, there isn’t a prod.secret.exs file in my git repo as expected, however I cannot create a release without it as nothing will work. Also mix release throws an error if it cannot find this file so building a release with this file missing doesn’t work either.

I wondered what do others do to work around this? I am currently going down the path of environment variables in production that the prod.exs file will pull in.

Does anyone know of a better way?


Some CI Services allow to inject “hidden” files or environment variables.

So if possible let the service inject that file, if not create it from an environment variable in some of your steps.

In any case you should make sure, that no-one attacks your buildserver by injectiong a cat or echo in the scripts if they are version controlled.


As far as I am aware the service I am using only supports secret variables, so I think I will actually try creating the file as part of the build - could create a mix task that does this and pull values from the environment.

A good heads up on the concern over cat and echo :thumbsup:


Of course these concerns are true for anything that creates output!

For CI tool we use internally at work I can see that it expands shell variables and then prints the command. So it happens that I have echo $SECRET in the script but echo deadbeef in the logs… No problem for us, since everyone in the company does know that secret anyway and it is substituted here for something else :wink:

During CI there could be a compilation error in the generated prod.secret.exs and then a message printed like "there was an error near deadbeef".

And probably other situations I am not ware of right now.