How Public are App Env Vars?

Presently we’re only using private repos. For our Android apps we have some private variables required in order to access our internal Artifactory server as well as set a private Google Play store key. We like to compile and build for PRs but per the docs the secret Env Vars are not available for PRs. Is there a best practice for this use case?

How public: if it’s a private repository then it doesn’t really matter whether you set the env var as an App Env Var or Secret Env Var.

There are two differences between App Env Vars and Secret Env Vars:

  1. Secret Env Vars are not passed to the build in case it’s a Pull Request build. Not passed at all, not even in encrypted form, you simply can’t get these in a PR build.
  2. Secret Env Vars are stored separately, not as part of the build config (bitrise.yml)

In any case only the Admins of the app (on can access and modify both on the web UI, but developers / anyone who can push into the repository can possibly print the values of the available env vars - otherwise build steps/script would not be able to use them.

Think about it this way: the bitrise.yml can be committed into the repository (guide), but secrets can’t.

In case of a public repository you of course don’t want to push secrets into your repository, so it’s quite important there to use Secrets, which are only available for non PR builds (for core developers, who have at least write access to the repo).

In case of a private repository it’s less important (usually), as the code itself can only be accessed by core developers, who can use the Secret Env Vars anyway. Of course it’s still a good idea to store secrets as Secrets.

Btw we also have plans to somehow allow Secrets for PRs, either through validation (e.g. secrets available when the PR is created by a core developer, from the same repo / between branches), or through a simple Toggle (expose / don’t expose).

Feel free to vote & comment on the related feature request: