Description
hi,
despite looking up the docs and a couple repos, I still am unsure of the best practice to define a secret environment variable for my replicate prod endpoint, ie without leaking my .env file in my repo or in the Dockerfile. (sorry if this has been said already.)
More specifically here's the scenario I'm talking about, it's fairly common:
- the token is needed at runtime only
- it is NOT user-provided, I (the replicate endpoint developer) provide it
- the token never changes
- pushes to replicate may come either from me locally (
cog push ...) or from a github actions job
Let's take an example:
my cog predict() method inside predict.py needs to make an authenticated API call. To make this API call, it thus needs a secret token. Usually here's what I do, in a context outside of Replicate:
- locally I've the token in a
.envfile - in prod, I can easily define the secret env var, typically in the UI settings
but in the case of Replicate, unless I'm mistaken there's no such thing as a UI section to define manually those env vars
So what's the cleanest way to have the secret defined as an env var in the Replicate machine? I was thinking of putting the secret into my github secrets env vars, and then in the github actions job to store it in the .env, but it kindof leaks it into doesn't it?
thanks!