Kamal secrets and github actions deployment

[ehutzelman]

Now that I've upgraded to kamal 2, I see the secrets no longer have a separate lifecycle and they are pushed on every deployment. While this simplifies the whole process, it does remove some of the flexibility that kamal 1.x provided with the ability to manage secrets independently of the deployment. I would manage the uploading of secrets (env push) from my local machine, and then leave the grunt work of deployment to github actions. This meant that all my app secrets didn't have to be duplicated in github secrets as well, and github only needed the basics like the KAMAL_REGISTRY_PASSWORD and SSH_KEY to do a deploy.

Curious how others are managing their secrets with github actions and kamal, as maybe I'm missing some path that makes this easier with kamal 2. Kamal 2 has been much easier to get up and going, so maybe this is just a tradeoff of making the whole deployment process more simple and bulletproof.

Thanks!

[dhh]

You can use GH Secrets as ENVs, which you can then refer to in .kamal/secrets. See https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions.