apiKey environment variable instead of .coda.json file

I’m trying to integrate my pack upload process to only be possible through GitHub Actions and a merge to master. I’m, however, concerned about the security of my apiKey secret having to populate the .coda.json file during the build process. It doesn’t appear as though an environment variable is possible instead of the file.

Could this option be considered to be added instead of the file? If not, does anyone have a suggestion for how to securely manage this process? Is it secure to place the secret in the .coda.json file, perform the upload process and then delete the file or could something be unsafe about this process?

Any insight would be great!


Hi @orth - Thanks for the feedback, that is something we’ve heard before as well. You can work around the limitation by generating your .coda.json in the action, as shown here:

In the long run though it would be nice to just make it a command line argument.

Hi @orth - I just submitted a pull request that adds a new --apiToken argument to the upload command (among others) for this purpose. It isn’t released yet, but I’ll see if we can get it out soon.


Ah, thanks so much Eric! That’s funny you did that as I just hacked my Actions to directly edit the coda source itself as a quick hack, hehe. I had this

      - name: Patch config_storage.js
        run: |
          sed -i.bak -e 's|function getApiKey(codaApiEndpoint) {|&\
            const codapiKey = process.env.CODA_API_KEY;\
            if (codapiKey) {\
              return codapiKey;\
          |' node_modules/@codahq/packs-sdk/dist/cli/config_storage.js

      - name: Upload pack to Coda
        run: npx coda upload pack.ts
1 Like

Hi @orth - To close the loop, we just released version 1.3.0 of the SDK which includes the new --apiToken argument. Thanks for the nudge!

1 Like