Heroku Review App Integration

Hi all,

we are big fans of doppler (solves a lot of painful problems). We are currently using the Heroku Integration and we are missing the feature to sync the secrets to the Review App Stage (Review apps are created on PR openings). Its currently only possible to transfer them to an app but not a pipeline (Pipelines | Heroku Dev Center). Pipelines share env vars with multiple apps so that we don’t need to sync them every time we open a PR.


Hey Lukas and thanks for the feedback!

We’re looking at supporting secrets sync for review apps in late Q2, but until then, here is how you could do this programmatically using the Doppler and Heroku CLI (with help from jq).

Note: Just like the Heroku integration, these steps presume you want to only use Doppler for updating review app variables and any variables manually edited in Heroku will get blown away on sync.

I’m going to refer to review app variables as Pipeline Config Vars for the remainder of this post.

To set up:

  1. Create a Dopler config that will contain the Pipeline Config Vars to sync
  2. Create a Doppler Service Token for that config and export the value as the DOPPLER_TOKEN environment variable
  3. Create a Heroku API Key (required in order to set the CI config vars) by running heroku authorizations:create and export the value as the HEROKU_API_KEY environment variable
  4. Install the Heroku API plugin (as the CLI doesn’t natively support Pipeline Config Vars yet) - heroku plugins:install api

Syncing secrets is then a three-step process:

Step 1: Fetch the PIPELINE_ID for the Heroku app (change your-app-name below)

PIPELINE_ID="$(heroku api GET pipelines | jq '.[] | select(.name=="your-app-name")' | jq -r '.id')"

Step 2: Nullify all Pipeline Config Vars

eval heroku api PATCH /pipelines/$PIPELINE_ID/stage/review/config-vars --body "'{$(heroku api GET /pipelines/$PIPELINE_ID/stage/review/config-vars | jq -jr ' . | to_entries[] | "\"\(.key)\":null",","' | sed 's/.$//')}'"

Step 3 Sync Doppler secrets Pipeline Config Vars

eval heroku api PATCH /pipelines/$PIPELINE_ID/stage/review/config-vars --body "'$(doppler secrets download --no-file --format json)'"

You can also see an example GitHub Action from our Yoda Speak sample app.

Would love to get your feedback on this temporary workaround.

1 Like

Hi Lukas,

Just following up to see if this solution worked for you?

+1 for this feature!

Is there a recommended workflow to do a similar thing with Netlify’s “Deploy Preview”?

Hey @BradRyan and welcome to the Doppler Community!

It looks like we don’t have Deploy Preview secrets sync natively supported in our current Netlify integration so I’ll flag this with our engineering team and work on a documented solution for you that I should have done by later today.

1 Like

Awesome! Thanks @ryan-blunden!

Hey @BradRyan,

I’m not a Netlify expert so can you help me understand the difference between Netlify Preview environment variables and the standard build environment variables?

Or have I misunderstood?

For our company workflow we have a production deployment built from our main/master branch, and then we have “preview deployments” which are essentially deployments for each PR that gets opened against the main branch (this is the same idea as Heroku’s pipelines).

The production app references production environment variables, where we have the preview deployments reference environment variables for our staging environment. This means when we do things like QA or run automated tests against the preview deployments, we aren’t accidentally modifying data from our production database.

Currently, Doppler only allows me to sync one environment to Netlify, which are by default used for both production and preview deployments. I would like to have a means to tell preview deployments to reference staging environment variables and the main branch deploys to reference production environment variables.

Does that clarify things? Let me know if I can try to provide more context or examples of specific things.

Also, here’s some helpful reading on how Netlify allows users to customize environment variables between production or preview deploys:

Thanks @BradRyan! I’ll take a look and get back to you soon.

Hey @BradRyan,

Unfortunately, Netlify doesn’t make it possible to support syncing multiple environments as environment variable overrides are only possible if hard-coded into netlify.toml.

This means if you need multiple deployment contexts with different secrets, you’ll need to not use our integration and use multiple service tokens instead.

I’ve updated our Netlify docs to support multiple deployment contexts and would appreciate any feedback you have.

Let me know how you go.

Thanks @ryan-blunden I have my builds referencing the proper env variables using this approach. I noticed one small mistake in the docs where you listed [context.deploy-preview.environment] instead of [context.deploy-preview].

Here’s the relevant parts of my netlify.toml for reference. I injected an extra env var that is referenced in the client code.

  command = "yarn doppler-install && ./doppler run --token $DOPPLER_TOKEN_PRD --command='REACT_APP_COMMIT_SHA1=${COMMIT_REF} yarn build'"

  command = "yarn doppler-install && ./doppler run --token $DOPPLER_TOKEN_STG --command='REACT_APP_COMMIT_SHA1=${COMMIT_REF} yarn build'"

Head’s up the other gotcha with this approach is that these env variables aren’t exposed to Netlify’s Serverless functions since they aren’t set through their UI. That said, I’m running into some other frustrations unrelated to Doppler on that front but will share if I come up with any clever solutions here…

Thanks for your help!

Thanks for letting me know about the typo, and the gotcha with Netlify functions.

Keep me posted about the frustrations you’re having and any insights you glean along the way and I’ll see what I can do to improve our docs in the meantime.

1 Like

Hey @ryan-blunden the other feature I was looking for was only triggering a webhook on production environments only. In Netlify, I can create a custom deployment webhook that can trigger builds on a certain branch (master in my case). Since I couldn’t apply the webhook specifically for a given environment on Doppler’s side of things, I created a custom plugin in Netlify.

I figured I’d share in case someone else was curious about doing something similar.

This is awesome @BradRyan! Thanks for sharing!

We’re looking at supporting specific actions for integrations (such as auto-redeploys) and this is a great piece of prior art to guide us.

Hey @BradRyan, just letting you know we’ve recently added the ability to customize webhook delivery on a per-environment basis. You can find the new options on the webhooks page for a given project. Hope this helps!

1 Like

That’s great! Thanks @apazzolini