**From the perspective of .env **, it might be better to shopify.app.toml be used for local development only.
Remix app has a useful solution that .env is loaded automatically to override environment variables in local development.
on the other hand, shopify app deploy (without -c option) load .env by default.
This means…, there’s a possibility that you deploy extension which includes local environment variable to production unintentionally in the following situation.
- use
.envto override environment variables for local remix app - have extensions that use
process.env.XXXwhich is defined in.env - deploy extensions to production using
shopify app deployin local machine
In this condition, production deploy command (shopify app deploy) running in local machine injects .env variables and deploys to production.
my solution
I use .env if I need and I make shopify.app.toml be gitignored for local development not to be used for production.
I also put a shopify.app.production.toml to link production shopify app setting and define environment variables in deploy server like github action then run deploy command for production like this.
$ shopify app deploy -c production
This solution prevents from leaking .env in production extensions.