**From the perspective of .env
**, it might be better to shopify.app.toml
be used for local development only.
Remix app has a useful solution that .env
is loaded automatically to override environment variables in local development.
on the other hand, shopify app deploy
(without -c option) load .env
by default.
This means…, there’s a possibility that you deploy extension which includes local environment variable to production unintentionally in the following situation.
- use
.env
to override environment variables for local remix app - have extensions that use
process.env.XXX
which is defined in.env
- deploy extensions to production using
shopify app deploy
in local machine
In this condition, production deploy command (shopify app deploy
) running in local machine injects .env
variables and deploys to production.
my solution
I use .env
if I need and I make shopify.app.toml
be gitignored for local development not to be used for production.
I also put a shopify.app.production.toml
to link production shopify app setting and define environment variables in deploy server like github action then run deploy command for production like this.
$ shopify app deploy -c production
This solution prevents from leaking .env
in production extensions.