11 days ago
Is there a way to not have the sync feature try to update shared variables? I'm scared I'm going to forget to dismiss them one of these times and pull prod keys into dev or vice-versa.
8 Replies
11 days ago
The docs say:
Sealed variables are a security-first feature and with that come some constraints:
[...]
- Sealed variables are not copied over when creating PR environments.
- Sealed variables are not copied when duplicating an environment.
- Sealed variables are not copied when duplicating a service.
- Sealed variables are not shown as part of the diff when syncing environment changes.
But this does not indicate what the actual behaviour is. Do the still get copied when syncing?
11 days ago
(FWIW my variables are currently unsealed)
11 days ago
(I'm just exploring it as a potential solution to this, but like I say - is a bit unclear)
7 days ago
I'm still looking for clarity on this if anyone can help. ☺️
7 days ago
This would have to be a feedback post on station.railway.com.
It's not behavior we could just change from a one off request.
7 days ago
I am not requesting a change, I'm asking for clarification on how this actually works. Specifically:
Sealed variables are not shown as part of the diff when syncing environment changes.
Are they simply not shown, or just not synced (as is the case for PR environments)?
7 days ago
This thread has been opened as a bounty so the community can help solve it.
Status changed to Open Railway • 7 days ago
7 days ago
If they are, is there any other mechanism I can use for environment-specific variables/secrets to ensure I can never screw up and sync them to where they shouldn't be?
6 days ago
Sealed variables are excluded from the sync diff display, but the docs don't explicitly say they're excluded from syncing itself — so they probably still sync silently.
Safest option: don't use shared variables for sensitive keys at all. Set them directly per environment so they're never part of the sync flow.