Should there be something like envify that deploys without creating a .env file?

[jeromedalbert]

Using envify with 1password of Bitwarden can be a nice way to share secrets with your team, because you're not storing sensitive production data on anyone's laptop. But it generates a .env file before deploying, and this file has all the sensitive data in clear form. This doesn't feel safe because if your laptop gets hacked, the attacker can read this file, and all your sensitive data is now compromised. You could manually remove the .env file every time after deploying, but this doesn't scale well because people are human and can forget. Creating a wrapper script to automate the removal of this file after deploy could also fail to remove the file if the script is interrupted for any reason.

What if there was a command like envify, or an option to this command, that could load the environment variables from the .env.erb file, and deploy them straight away, without creating a .env file? This way if your laptop gets hacked later on, the attacker wouldn't be able to read your sensitive data, unless they also hack into your 1password or Bitwarden vault, which is much harder.