█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/DevOps and Infrastructure/CI/CD Pipelines/Environment Management
40 minIntermediate

Environment Management

After this lesson, you will be able to: Manage environment variables and secrets across staging vs production, use feature environments per branch, and integrate with cloud-native secret stores.

Secrets management is where most teams either get sloppy (commit a key by accident) or over-engineer (vault per environment with rotation). This lesson covers the practical middle.

Prerequisites:A Complete CD Pipeline

Three tiers of secrets

Repository secrets: stored in GitHub Actions, scoped to one repo. Easy. Most secrets live here. Environment secrets: scoped to a GitHub Environment (`staging`, `production`). Different DB passwords per env. Organization secrets: shared across many repos. Useful for 'we use the same Datadog API key everywhere'. All three are encrypted at rest, masked in logs, and never visible after creation.

Using environment-scoped secrets

Tie the secret to the environment, then reference normally.

tsx
# Settings > Environments > production > Add secret DATABASE_URL
# Then in workflow:
jobs:
deploy:
runs-on: ubuntu-latest
environment: production
steps:
- name: Migrate
run: npx prisma migrate deploy
env:
DATABASE_URL: ${{ secrets.DATABASE_URL }}
# No need to specify 'environment: production' on the secret;
# it auto-resolves from the env set on the job.
# Same workflow with environment: staging would resolve a DIFFERENT secret
# (the staging DATABASE_URL configured on the staging environment).

Feature environments per branch (preview deploys)

Vercel + Netlify do this automatically: every PR gets its own preview URL. For containers: spin up a temporary K8s namespace or a per-PR docker compose stack. Pattern: workflow_run on pull_request; deploy to `pr-${PR_NUMBER}.example.com`; tear down on PR close. Value: stakeholders click a real URL to review changes, not a screenshot.

💡 OIDC: deploy without long-lived cloud keys

GitHub Actions can mint a short-lived OIDC token. AWS / GCP / Azure can be configured to trust that token + assume a role. Result: no AWS access keys in GitHub Secrets ever. Tokens are minted per workflow run, expire in 1 hour. AWS: configure an IAM role trust policy for GitHub's OIDC issuer; use `aws-actions/configure-aws-credentials@v4` in the workflow. This is the modern best practice; any new cloud setup should use it.

When to add a real secrets manager

Most projects can live with GitHub Secrets forever. Add AWS Secrets Manager / HashiCorp Vault / 1Password Secrets when: 1. You need rotation (auto-rotated DB passwords). 2. You need per-instance secrets (e.g. each EC2 instance fetches its own). 3. You need audit logs of who accessed which secret when. 4. You have many repos that share secrets and want central management. Until then, GitHub Secrets is fine.

Common mistakes only experienced engineers avoid

Committing `.env` to git. Use `.gitignore` from day one + `.env.example` for the template. Reusing the same DATABASE_URL between staging and production. Staging breakage = prod breakage. Using OIDC tokens with `*` resource policies. Always scope: 'only this repo / this branch / this workflow'. Long-lived AWS access keys in GitHub Secrets. Migrate to OIDC. Storing secrets in Dockerfile build args. Visible in image layer history.

Quick Check

Why is OIDC federation preferred over storing AWS access keys as GitHub Secrets?

Pick the best reason.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←A Complete CD Pipeline
Back to CI/CD Pipelines
Testing in CI→