Testing Inertia with Dusk

Sign in Get started

This episode is for members only

Sign up to access "Testing Inertia with Dusk" right now.

Already a member? Sign in to continue

Playing

21. Storing secrets securely

Episodes

0%

Your progress

Total: 2h 53m
Played: 0m
Remaining: 2h 53m

Join or sign in to track your progress

01. Setting up Dusk

01. Introduction and demo

02. Setting up Dusk with Pest

03. Running a Dusk-specific environment file

04. Use a different database

02. Testing with Dusk

05. Authenticating for tests

06. Diving straight into end-to-end tests

07. Using custom dusk selectors

08. Seeding and basic visibility checks

09. Looking inside specific page sections

10. Navigating between pages

11. Filling and submitting forms

12. Verifying database contents

13. Testing validation errors

14. Interacting with dialogs

15. Dealing with race conditions

16. More complex selectors

17. Asserting input values

18. More typing, and hitting specific keyboard keys

19. When you don’t need Dusk

03. CI with GitHub Actions

20. Setting up a basic workflow

21. Storing secrets securely

22. Capturing artifacts

Transcript

00:00

We've already established that having secret keys within your env files for our dusk environment and committing them to a repository is not a great idea. Now because we now have a real working

00:12

example of using say a third-party API key we're going to use this some secret value and write a test to make sure we can see this on the page and then we're going to push this up to github actions and set the secret key secretly and genuinely secretly within github actions. Okay so to demonstrate this I'm going to come over to the dashboard and I'm going to output this value

00:36

in here so let's say secret key and we're going to have the secret key over on our dashboard. Now obviously you wouldn't do this but really we're just getting to the point where we want to be able to see this secret key somewhere and I'm not actually going to do that in the title I'm going to do that down here so let's say secret key and x and we will output this here. Okay so over in

00:59

our web roots let's find our dashboard just here and let's go ahead and pass this down. Now just for the sake of keeping with good practice here I'm going to create a config file out for this so let's go into config and we'll just create a file in here called secret.php and let's go ahead and return our secret key in here so let's say key and we'll pull this from our env file. It's always

01:24

a good idea not to read environment files directly so we're going to say some secret and now we can reference this over in here so we'll say secret key config and secret.key and then we can go ahead and output that over on our dashboard. Okay so we'll go ahead and define our props out here secret what do we call that underscore key and let's call that secret key with this casing

01:54

and that's going to be a string so let's change that to secret key and we'll just dump it out on the page and then we're done and we can write a really quick test to verify that we can see this which is pretty much just simulating the fact that we can use a secret key within a service somewhere. Okay let's go over then and write a test for this really quickly so let's make out a test

02:16

so dusk make let's call this secret key test and let's open that up and all we want to do here is test it shows a secret key and we want to browse and visit the dashboard either manually typing that and we want to assert we see secret key and then we want to tack on config secret and key. Okay let's run this test in isolation and obviously if we get rid of this from our

02:51

environment file when we push up to github actions it's not going to show this correctly and with that in mind we actually want to hard code this in here because otherwise it's just going to replicate the value so let's just make sure yeah that's def let's go ahead and run this test so php artisan pest and we will filter this down to that test and we should see it

03:13

and obviously we need to be logged in yeah okay let's get this sorted really quickly and then we can move on so app factory and create let's go ahead and log in as this user obviously that page isn't accessible for people who aren't logged in

03:33

and let's try one more time okay great so that is now working all right so just to drill the point across if we go over to emb.dust.local and we get rid of this some secret this test is now going to fail which means that if we don't include these now environment variables inside of our dust.ci file this is going to fail the test basically this value isn't going to be available

03:57

but we do need it available but not within this file okay so now that we've done this let's go ahead and just push this up so let's say git add commit dusk actions and we will push this to the my app origin and let's go ahead and open this up and see what happens so let's go back over to our actions over to dusk actions and this should work but then we're going to go ahead and get rid of it

04:21

from the dusk.ci file okay so our tests are running you can see that the secret key test is passing let's think about our setup here so we've got env.dust.local now with this specifically we do want to store secret keys so if we go over to git ignore and this won't get rid of it from

04:45

our already committed file but we're going to go ahead and as well as our env file we're also going ignore env.dust.local so we should have really done that earlier at the start of the project but we don't want to push up our local env much like we don't want to push up just our standard env here so the first step is to exclude that we do want to push up the env.dusk.ci file but if we just

05:10

open that up we want to get rid of some secret now if I get rid of some secret from there and then I go ahead and push this arc what's going to happen well when we go ahead and run our test again so if we just go back over to our actions when this one runs now it's not going to find that value so it's not going to see that on the dashboard and I know we're just displaying it on

05:33

the dashboard but we're just kind of simulating this actually being used within our project so I'm going to let these run through we're going to see that this fails and then we're going to look at how we can properly add a secret within github actions so let's just wait for this to run through and we'll cover that next okay so this is starting to run through our tests now let's just wait for

05:54

the secret key test and you can see that fails obviously because that is missing from our environment file which is a good thing so just while this finishes going through we're going to head over to our settings area under the repository that we're working with we're going to come down to secrets and variables under the action setting and we're going to add a new

06:16

repository secret so from here what we can do is any of the files that we were originally adding or any of the environment variables that we were originally adding to here we can now move them over specifically to github so they're not committed within our code itself so I'm going to keep this out of this file because we don't want to commit that and I'm going to add some secret with def

06:40

in here and add it in now this hasn't done much at the moment we've got the secret key in here we can't see it so it can't be viewed we can go ahead and edit it and change the value if we want to but it's now a secret value that's tucked away what we can now do is update our dusk.yaml file to specifically include those within our environment when we run our test so there's a couple of ways

07:05

that we can use these new values that we've added as secrets and probably the easiest one is to provide the env option within our dusk.yaml file in here what we can effectively do is set our environment variables but we can reference the secrets that we've defined within our github account so this means that we don't have to store in here so remember we got rid of it from here

07:28

but we can just define and add it on to our overall environment so this was sum underscore secret and where do we get this value from well we can use double curly braces with a dollar sign we can reference secrets which will contain all of the secrets that we've set over here and we just need to reference it by name when we grab it out now that we've done that when we push this up it's

07:52

going to have that def value as some secret therefore our secret config that we created earlier will return that def value in its key and then of course over in this it will send that down to the view of course we're just using that as an example but this would mean that your entire workflow would then work if you were using any external services okay let's go ahead and commit

08:15

this and push it up and let's go over to our actions and we should see this run through properly so let's give that a refresh and let's go over here and wait for our tests to run just while that's running there are other places you can use this so you can go ahead and use these say in here for your password you wouldn't necessarily do this because this is just pre-configured on the github

08:37

this isn't really a secret but any commands that you run like this or anywhere else that you need to use this in here you can just go ahead and use the same syntax to pluck out those secrets and they'll be in there waiting for you okay so our tests are now running and we should get down to the point where the secret key test is now passing because of course that is now included

08:59

over in our dusk yaml file but it's completely secret so even if our dusk.yaml file was revealed this is hidden behind our github account so use this flow to set any of the additional environments that you need for your dusk tests to actually run of course just make sure you review this just to make sure you're not including any actual secrets in here these are good candidates for things like

09:24

that and of course if you are using a secret key from a external api they're a good candidate for this as well the probably the most important part about this is the gitignore that we added for our local we need the values locally for this to run properly just make sure at the start of your project you gitignore

Episode summary

In this episode, we're diving into the right way to store secrets in your project, especially when using things like API keys in tests and CI/CD pipelines. First, we recap why you should never commit secret keys to your codebase or even to environment files that are tracked in version control — doing so risks exposing these sensitive values.

We then move on to a hands-on example: adding a fake secret key to a config file, displaying it on a (test) dashboard, and writing a quick test to make sure it can be accessed. This helps lay the groundwork for understanding where secrets actually appear in your app during testing.

Next, we push our changes to GitHub Actions and deliberately break things to prove that not including the secret in our environment files causes the tests to fail. Once that's clear, we go through the process of fixing it the right way: adding a repository secret in GitHub, referencing that secret in the GitHub Actions workflow (using the secrets context), and updating the test config to use it. The cool part is, this means your secret key is never present in your code or files — it's stored securely in GitHub and injected only when needed by your CI jobs.

Finally, we push the working setup, watch the tests pass again (with the secret injected properly), and talk about best practices: make sure secrets are only stored locally for development, always gitignore local env files, and use repository secrets for anything sensitive in CI like API keys. It's a must-do workflow for keeping your credentials safe, while still allowing full-featured automated testing!

Episode discussion

No comments, yet. Be the first!