a month ago
Is there a way to not have the sync feature try to update shared variables? I'm scared I'm going to forget to dismiss them one of these times and pull prod keys into dev or vice-versa.
10 Replies
a month ago
The docs say:
Sealed variables are a security-first feature and with that come some constraints:
[...]
- Sealed variables are not copied over when creating PR environments.
- Sealed variables are not copied when duplicating an environment.
- Sealed variables are not copied when duplicating a service.
- Sealed variables are not shown as part of the diff when syncing environment changes.
But this does not indicate what the actual behaviour is. Do the still get copied when syncing?
a month ago
(FWIW my variables are currently unsealed)
a month ago
(I'm just exploring it as a potential solution to this, but like I say - is a bit unclear)
24 days ago
I'm still looking for clarity on this if anyone can help. ☺️
24 days ago
This would have to be a feedback post on station.railway.com.
It's not behavior we could just change from a one off request.
24 days ago
I am not requesting a change, I'm asking for clarification on how this actually works. Specifically:
Sealed variables are not shown as part of the diff when syncing environment changes.
Are they simply not shown, or just not synced (as is the case for PR environments)?
24 days ago
This thread has been opened as a bounty so the community can help solve it.
Status changed to Open Railway • 24 days ago
24 days ago
If they are, is there any other mechanism I can use for environment-specific variables/secrets to ensure I can never screw up and sync them to where they shouldn't be?
23 days ago
Sealed variables are excluded from the sync diff display, but the docs don't explicitly say they're excluded from syncing itself — so they probably still sync silently.
Safest option: don't use shared variables for sensitive keys at all. Set them directly per environment so they're never part of the sync flow.
14 days ago
+1 from me too, I'm looking to do this as well, it would be great if the syncing feature would allow us to add to a "deny list" specific changes (with an option to remove from that list too), this way we can say a specific env var shouldn't sync, deploy setting, or a full service.
13 days ago
the docs are genuinely fuzzy here. "sealed variables arent shown in the sync diff" only means theyre hidden from the diff view, it does not clearly mean theyre excluded from syncing, so dont trust sealing alone to keep prod creds out of dev. the safe pattern: dont put environment specific secrets as shared/synced vars at all, set them directly per environment so theyre never in the sync path in the first place. that fully sidesteps it. theres an open feature request for a proper "deny list" to block specific vars from syncing, but until thats real, per-env vars is the move.