feat(build): add support for marking env vars as secrets in syncEnvVars

- Added isSecret flag to SyncEnvVarsBody type
- Updated CLI's syncEnvVarsWithServer to pass secret flags
- Modified backend API endpoint to handle secret flags
- Added documentation for the new feature

Author: julienvanbeveren

.changeset/fresh-bats-travel.md

@@ -0,0 +1,6 @@
+---
+"trigger.dev": minor
+"@trigger.dev/build": minor
+---
+
+Added support for the secret flag on variables in the syncEnvVars extension

apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.import.ts

@@ -44,6 +44,7 @@ export async function action({ params, request }: ActionFunctionArgs) {
     variables: Object.entries(body.variables).map(([key, value]) => ({
       key,
       value,
+      isSecret: body.secrets?.[key] ?? false,
     })),
   });
 
@@ -55,6 +56,7 @@ export async function action({ params, request }: ActionFunctionArgs) {
       variables: Object.entries(body.parentVariables).map(([key, value]) => ({
         key,
         value,
+        isSecret: body.parentSecrets?.[key] ?? false,
       })),
     });
 

packages/build/src/extensions/core/syncEnvVars.ts

@@ -2,7 +2,7 @@ import { BuildContext, BuildExtension } from "@trigger.dev/core/v3/build";
 
 export type SyncEnvVarsBody =
   | Record<string, string>
-  | Array<{ name: string; value: string; isParentEnv?: boolean }>;
+  | Array<{ name: string; value: string; isParentEnv?: boolean; isSecret?: boolean }>;
 
 export type SyncEnvVarsResult =
   | SyncEnvVarsBody
@@ -151,9 +151,19 @@ async function callSyncEnvVarsFn(
   environment: string,
   branch: string | undefined,
   context: BuildContext
-): Promise<{ env: Record<string, string>; parentEnv?: Record<string, string> } | undefined> {
+): Promise<{
+  env: Record<string, string>;
+  secrets?: Record<string, boolean>;
+  parentEnv?: Record<string, string>;
+  parentEnvSecrets?: Record<string, boolean>;
+} | undefined> {
   if (syncEnvVarsFn && typeof syncEnvVarsFn === "function") {
-    let resolvedEnvVars: { env: Record<string, string>; parentEnv?: Record<string, string> } = {
+    let resolvedEnvVars: {
+      env: Record<string, string>;
+      secrets?: Record<string, boolean>;
+      parentEnv?: Record<string, string>;
+      parentEnvSecrets?: Record<string, boolean>;
+    } = {
       env: {},
     };
     let result;
@@ -186,10 +196,20 @@ async function callSyncEnvVarsFn(
           if (item.isParentEnv) {
             if (!resolvedEnvVars.parentEnv) {
               resolvedEnvVars.parentEnv = {};
+              resolvedEnvVars.parentEnvSecrets = {};
             }
             resolvedEnvVars.parentEnv[item.name] = item.value;
+            if (item.isSecret && resolvedEnvVars.parentEnvSecrets) {
+              resolvedEnvVars.parentEnvSecrets[item.name] = true;
+            }
           } else {
             resolvedEnvVars.env[item.name] = item.value;
+            if (item.isSecret) {
+              if (!resolvedEnvVars.secrets) {
+                resolvedEnvVars.secrets = {};
+              }
+              resolvedEnvVars.secrets[item.name] = true;
+            }
           }
         }
       }

packages/cli-v3/src/commands/deploy.ts

@@ -381,9 +381,8 @@ async function _deployCommand(dir: string, options: DeployCommandOptions) {
   const version = deployment.version;
 
   const rawDeploymentLink = `${authorization.dashboardUrl}/projects/v3/${resolvedConfig.project}/deployments/${deployment.shortCode}`;
-  const rawTestLink = `${authorization.dashboardUrl}/projects/v3/${
-    resolvedConfig.project
-  }/test?environment=${options.env === "prod" ? "prod" : "stg"}`;
+  const rawTestLink = `${authorization.dashboardUrl}/projects/v3/${resolvedConfig.project
+    }/test?environment=${options.env === "prod" ? "prod" : "stg"}`;
 
   const deploymentLink = cliLink("View deployment", rawDeploymentLink);
   const testLink = cliLink("Test tasks", rawTestLink);
@@ -562,8 +561,7 @@ async function _deployCommand(dir: string, options: DeployCommandOptions) {
   const taskCount = deploymentWithWorker.worker?.tasks.length ?? 0;
 
   outro(
-    `Version ${version} deployed with ${taskCount} detected task${taskCount === 1 ? "" : "s"} ${
-      isLinksSupported ? `| ${deploymentLink} | ${testLink}` : ""
+    `Version ${version} deployed with ${taskCount} detected task${taskCount === 1 ? "" : "s"} ${isLinksSupported ? `| ${deploymentLink} | ${testLink}` : ""
     }`
   );
 
@@ -586,18 +584,16 @@ async function _deployCommand(dir: string, options: DeployCommandOptions) {
       TRIGGER_VERSION: version,
       TRIGGER_DEPLOYMENT_SHORT_CODE: deployment.shortCode,
       TRIGGER_DEPLOYMENT_URL: `${authorization.dashboardUrl}/projects/v3/${resolvedConfig.project}/deployments/${deployment.shortCode}`,
-      TRIGGER_TEST_URL: `${authorization.dashboardUrl}/projects/v3/${
-        resolvedConfig.project
-      }/test?environment=${options.env === "prod" ? "prod" : "stg"}`,
+      TRIGGER_TEST_URL: `${authorization.dashboardUrl}/projects/v3/${resolvedConfig.project
+        }/test?environment=${options.env === "prod" ? "prod" : "stg"}`,
     },
     outputs: {
       deploymentVersion: version,
       workerVersion: version,
       deploymentShortCode: deployment.shortCode,
       deploymentUrl: `${authorization.dashboardUrl}/projects/v3/${resolvedConfig.project}/deployments/${deployment.shortCode}`,
-      testUrl: `${authorization.dashboardUrl}/projects/v3/${
-        resolvedConfig.project
-      }/test?environment=${options.env === "prod" ? "prod" : "stg"}`,
+      testUrl: `${authorization.dashboardUrl}/projects/v3/${resolvedConfig.project
+        }/test?environment=${options.env === "prod" ? "prod" : "stg"}`,
       needsPromotion: options.skipPromotion ? "true" : "false",
     },
   });
@@ -608,11 +604,15 @@ export async function syncEnvVarsWithServer(
   projectRef: string,
   environmentSlug: string,
   envVars: Record<string, string>,
-  parentEnvVars?: Record<string, string>
+  parentEnvVars?: Record<string, string>,
+  secrets?: Record<string, boolean>,
+  parentEnvSecrets?: Record<string, boolean>
 ) {
   return await apiClient.importEnvVars(projectRef, environmentSlug, {
     variables: envVars,
     parentVariables: parentEnvVars,
+    secrets,
+    parentSecrets: parentEnvSecrets,
     override: true,
   });
 }
@@ -640,8 +640,7 @@ async function failDeploy(
       checkLogsForErrors(logs);
 
       outro(
-        `${chalkError(`${prefix}:`)} ${
-          error.message
+        `${chalkError(`${prefix}:`)} ${error.message
         }. Full build logs have been saved to ${logPath}`
       );
 

packages/core/src/v3/apiClient/types.ts

@@ -13,6 +13,18 @@ export interface ImportEnvironmentVariablesParams {
    * To specify the variables, you can pass them in as a record of key-value pairs. e.g. `{ "key1": "value1", "key2": "value2" }`
    */
   variables: Record<string, string>;
+  /**
+   * Optional parent variables to be imported. These are used when dealing with branch environments.
+   */
+  parentVariables?: Record<string, string>;
+  /**
+   * Optional map of which variables should be marked as secrets. The keys should match the keys in `variables`.
+   */
+  secrets?: Record<string, boolean>;
+  /**
+   * Optional map of which parent variables should be marked as secrets. The keys should match the keys in `parentVariables`.
+   */
+  parentSecrets?: Record<string, boolean>;
   override?: boolean;
 }
 

packages/core/src/v3/schemas/api.ts

@@ -799,6 +799,8 @@ export type UpdateEnvironmentVariableRequestBody = z.infer<
 export const ImportEnvironmentVariablesRequestBody = z.object({
   variables: z.record(z.string()),
   parentVariables: z.record(z.string()).optional(),
+  secrets: z.record(z.boolean()).optional(),
+  parentSecrets: z.record(z.boolean()).optional(),
   override: z.boolean().optional(),
 });