Add eas env:push and env:pull commands (#2495)

* Implement `eas env:pull` and `eas env:push` commands

* Implement review suggestions

* Implement review suggestions

* Allow fetching sensitive variables with env:get

* Implement review suggestions

* fix push

* Implement `including-sensitive` for env:list

* Use envvariables in local build

* Remove withSudo

* Remove sudo

* Evaluate dynamicProjectConfig with EnvVars

packages/eas-cli/src/build/android/build.ts

@@ -107,7 +107,7 @@ export async function prepareAndroidBuildAsync(
             ? false
             : ctx.buildProfile.autoIncrement,
         vcsClient: ctx.vcsClient,
-        env: ctx.buildProfile.env,
+        env: ctx.env,
       });
     },
     prepareJobAsync: async (

packages/eas-cli/src/build/build.ts

@@ -186,7 +186,7 @@ export async function prepareBuildRequestForPlatformAsync<
 
   return async () => {
     if (ctx.localBuildOptions.localBuildMode === LocalBuildMode.LOCAL_BUILD_PLUGIN) {
-      await runLocalBuildAsync(job, metadata, ctx.localBuildOptions);
+      await runLocalBuildAsync(job, metadata, ctx.localBuildOptions, ctx.env);
       return undefined;
     } else if (ctx.localBuildOptions.localBuildMode === LocalBuildMode.INTERNAL) {
       await BuildMutation.updateBuildMetadataAsync(ctx.graphqlClient, {
@@ -676,7 +676,7 @@ async function createAndMaybeUploadFingerprintAsync<T extends Platform>(
     platform: ctx.platform,
     workflow: ctx.workflow,
     projectDir: ctx.projectDir,
-    env: ctx.buildProfile.env,
+    env: ctx.env,
     cwd: ctx.projectDir,
   });
 

packages/eas-cli/src/build/context.ts

@@ -63,4 +63,5 @@ export interface BuildContext<T extends Platform> {
   vcsClient: Client;
   loggerLevel?: LoggerLevel;
   repack: boolean;
+  env: Record<string, string>;
 }

packages/eas-cli/src/build/createContext.ts

@@ -43,6 +43,7 @@ export async function createBuildContextAsync<T extends Platform>({
   buildLoggerLevel,
   freezeCredentials,
   repack,
+  env,
 }: {
   buildProfileName: string;
   buildProfile: BuildProfile<T>;
@@ -64,8 +65,11 @@ export async function createBuildContextAsync<T extends Platform>({
   buildLoggerLevel?: LoggerLevel;
   freezeCredentials: boolean;
   repack: boolean;
+  env: Record<string, string>;
 }): Promise<BuildContext<T>> {
-  const { exp, projectId } = await getDynamicPrivateProjectConfigAsync({ env: buildProfile.env });
+  const { exp, projectId } = await getDynamicPrivateProjectConfigAsync({
+    env,
+  });
   const projectName = exp.slug;
   const account = await getOwnerAccountForProjectIdAsync(graphqlClient, projectId);
   const workflow = await resolveWorkflowAsync(projectDir, platform, vcsClient);
@@ -87,7 +91,7 @@ export async function createBuildContextAsync<T extends Platform>({
     user: actor,
     graphqlClient,
     analytics,
-    env: buildProfile.env,
+    env,
     easJsonCliConfig,
     vcsClient,
     freezeCredentials,
@@ -147,6 +151,7 @@ export async function createBuildContextAsync<T extends Platform>({
     requiredPackageManager,
     loggerLevel: buildLoggerLevel,
     repack,
+    env,
   };
   if (platform === Platform.ANDROID) {
     const common = commonContext as CommonContext<Platform.ANDROID>;

packages/eas-cli/src/build/evaluateConfigWithEnvVarsAsync.ts

@@ -0,0 +1,81 @@
+import { Env } from '@expo/eas-build-job';
+import { BuildProfile } from '@expo/eas-json';
+
+import { ExpoGraphqlClient } from '../commandUtils/context/contextUtils/createGraphqlClient';
+import { EnvironmentVariableEnvironment } from '../graphql/generated';
+import { EnvironmentVariablesQuery } from '../graphql/queries/EnvironmentVariablesQuery';
+import Log from '../log';
+
+function isEnvironment(env: string): env is EnvironmentVariableEnvironment {
+  return Object.values(EnvironmentVariableEnvironment).includes(
+    env.toUpperCase() as EnvironmentVariableEnvironment
+  );
+}
+
+export async function evaluateConfigWithEnvVarsAsync<Config extends { projectId: string }, Opts>({
+  flags,
+  buildProfile,
+  graphqlClient,
+  getProjectConfig,
+  opts,
+}: {
+  flags: { environment?: string };
+  buildProfile: BuildProfile;
+  graphqlClient: ExpoGraphqlClient | null;
+  opts: Opts;
+  getProjectConfig(opts: Opts): Promise<Config>;
+}): Promise<Config & { env: Env }> {
+  if (!graphqlClient) {
+    Log.warn('An Expo user account is required to fetch environment variables.');
+    const config = await getProjectConfig(opts);
+    return { env: buildProfile.env ?? {}, ...config };
+  }
+  const { projectId } = await getProjectConfig({ env: buildProfile.env, ...opts });
+  const env = await resolveEnvVarsAsync({ flags, buildProfile, graphqlClient, projectId });
+  const config = await getProjectConfig({ ...opts, env });
+
+  return { env, ...config };
+}
+
+async function resolveEnvVarsAsync({
+  flags,
+  buildProfile,
+  graphqlClient,
+  projectId,
+}: {
+  flags: { environment?: string };
+  buildProfile: BuildProfile;
+  graphqlClient: ExpoGraphqlClient;
+  projectId: string;
+}): Promise<Env> {
+  const environment =
+    flags.environment ?? buildProfile.environment ?? process.env.EAS_CURRENT_ENVIRONMENT;
+
+  if (!environment || !isEnvironment(environment)) {
+    return { ...buildProfile.env };
+  }
+
+  try {
+    const environmentVariables = await EnvironmentVariablesQuery.byAppIdWithSensitiveAsync(
+      graphqlClient,
+      {
+        appId: projectId,
+        environment,
+      }
+    );
+    const envVars = Object.fromEntries(
+      environmentVariables
+        .filter(({ name, value }) => name && value)
+        .map(({ name, value }) => [name, value])
+    ) as Record<string, string>;
+
+    return { ...envVars, ...buildProfile.env };
+  } catch (e) {
+    Log.error('Failed to pull env variables for environment ${environment} from EAS servers');
+    Log.error(e);
+    Log.error(
+      'This can possibly be a bug in EAS/EAS CLI. Report it here: https://github.com/expo/eas-cli/issues'
+    );
+    return { ...buildProfile.env };
+  }
+}

packages/eas-cli/src/build/ios/build.ts

@@ -24,7 +24,7 @@ import {
 export async function createIosContextAsync(
   ctx: CommonContext<Platform.IOS>
 ): Promise<IosBuildContext> {
-  const { buildProfile } = ctx;
+  const { buildProfile, env } = ctx;
 
   if (ctx.workflow === Workflow.MANAGED) {
     await ensureBundleIdentifierIsDefinedForManagedProjectAsync(ctx);
@@ -47,7 +47,7 @@ export async function createIosContextAsync(
     projectDir: ctx.projectDir,
     exp: ctx.exp,
     xcodeBuildContext,
-    env: buildProfile.env,
+    env,
     vcsClient: ctx.vcsClient,
   });
   const applicationTarget = findApplicationTarget(targets);
@@ -89,7 +89,7 @@ export async function prepareIosBuildAsync(
             ? false
             : ctx.buildProfile.autoIncrement,
         vcsClient: ctx.vcsClient,
-        env: ctx.buildProfile.env,
+        env: ctx.env,
       });
     },
     prepareJobAsync: async (

packages/eas-cli/src/build/local.ts

@@ -39,7 +39,8 @@ export interface LocalBuildOptions {
 export async function runLocalBuildAsync(
   job: Job,
   metadata: Metadata,
-  options: LocalBuildOptions
+  options: LocalBuildOptions,
+  env: Record<string, string>
 ): Promise<void> {
   const { command, args } = await getCommandAndArgsAsync(job, metadata);
   let spinner;
@@ -57,6 +58,7 @@ export async function runLocalBuildAsync(
     const spawnPromise = spawnAsync(command, args, {
       stdio: options.verbose ? 'inherit' : 'pipe',
       env: {
+        ...env,
         ...process.env,
         EAS_LOCAL_BUILD_WORKINGDIR: options.workingdir ?? process.env.EAS_LOCAL_BUILD_WORKINGDIR,
         ...(options.skipCleanup || options.skipNativeBuild

packages/eas-cli/src/build/runBuildAndSubmit.ts

@@ -2,7 +2,6 @@ import { ExpoConfig } from '@expo/config-types';
 import { Env, Platform, Workflow } from '@expo/eas-build-job';
 import {
   AppVersionSource,
-  BuildProfile,
   EasJson,
   EasJsonAccessor,
   EasJsonUtils,
@@ -19,6 +18,7 @@ import { BuildRequestSender, MaybeBuildFragment, waitForBuildEndAsync } from './
 import { ensureProjectConfiguredAsync } from './configure';
 import { BuildContext } from './context';
 import { createBuildContextAsync } from './createContext';
+import { evaluateConfigWithEnvVarsAsync } from './evaluateConfigWithEnvVarsAsync';
 import { prepareIosBuildAsync } from './ios/build';
 import { LocalBuildMode, LocalBuildOptions } from './local';
 import { ensureExpoDevClientInstalledForDevClientBuildsAsync } from './utils/devClient';
@@ -33,6 +33,7 @@ import {
   BuildFragment,
   BuildStatus,
   BuildWithSubmissionsFragment,
+  EnvironmentVariableEnvironment,
   SubmissionFragment,
 } from '../graphql/generated';
 import { BuildQuery } from '../graphql/queries/BuildQuery';
@@ -96,6 +97,7 @@ export interface BuildFlags {
   buildLoggerLevel?: LoggerLevel;
   freezeCredentials: boolean;
   repack: boolean;
+  environment?: EnvironmentVariableEnvironment;
 }
 
 export async function runBuildAndSubmitAsync(
@@ -129,13 +131,6 @@ export async function runBuildAndSubmitAsync(
     profileName: flags.profile ?? undefined,
     projectDir,
   });
-  Log.log(
-    `Loaded "env" configuration for the "${buildProfiles[0].profileName}" profile: ${
-      buildProfiles[0].profile.env
-        ? Object.keys(buildProfiles[0].profile.env).join(', ')
-        : 'no environment variables specified'
-    }. ${learnMore('https://docs.expo.dev/build-reference/variables/')}`
-  );
 
   for (const buildProfile of buildProfiles) {
     if (buildProfile.profile.image && ['default', 'stable'].includes(buildProfile.profile.image)) {
@@ -192,6 +187,21 @@ export async function runBuildAndSubmitAsync(
 
   for (const buildProfile of buildProfiles) {
     const platform = toAppPlatform(buildProfile.platform);
+
+    const { env } = await evaluateConfigWithEnvVarsAsync({
+      flags,
+      buildProfile: buildProfile.profile,
+      graphqlClient,
+      getProjectConfig: getDynamicPrivateProjectConfigAsync,
+      opts: { env: buildProfile.profile.env },
+    });
+
+    Log.log(
+      `Loaded "env" configuration for the "${buildProfile.profileName}" profile: ${
+        env ? Object.keys(env).join(', ') : 'no environment variables specified'
+      }. ${learnMore('https://docs.expo.dev/build-reference/variables/')}`
+    );
+
     const { build: maybeBuild, buildCtx } = await prepareAndStartBuildAsync({
       projectDir,
       flags,
@@ -204,6 +214,7 @@ export async function runBuildAndSubmitAsync(
       vcsClient,
       getDynamicPrivateProjectConfigAsync,
       customBuildConfigMetadata: customBuildConfigMetadataByPlatform[platform],
+      env,
     });
     if (maybeBuild) {
       startedBuilds.push({ build: maybeBuild, buildProfile });
@@ -251,7 +262,6 @@ export async function runBuildAndSubmitAsync(
         buildCtx: nullthrows(buildCtxByPlatform[startedBuild.build.platform]),
         moreBuilds: startedBuilds.length > 1,
         projectDir,
-        buildProfile: startedBuild.buildProfile.profile,
         submitProfile,
         nonInteractive: flags.nonInteractive,
         selectedSubmitProfileName: flags.submitProfile,
@@ -340,6 +350,7 @@ async function prepareAndStartBuildAsync({
   vcsClient,
   getDynamicPrivateProjectConfigAsync,
   customBuildConfigMetadata,
+  env,
 }: {
   projectDir: string;
   flags: BuildFlags;
@@ -352,6 +363,7 @@ async function prepareAndStartBuildAsync({
   vcsClient: Client;
   getDynamicPrivateProjectConfigAsync: DynamicConfigContextFn;
   customBuildConfigMetadata?: CustomBuildConfigMetadata;
+  env: Env;
 }): Promise<{ build: BuildFragment | undefined; buildCtx: BuildContext<Platform> }> {
   const buildCtx = await createBuildContextAsync({
     buildProfileName: buildProfile.profileName,
@@ -374,6 +386,7 @@ async function prepareAndStartBuildAsync({
     buildLoggerLevel: flags.buildLoggerLevel,
     freezeCredentials: flags.freezeCredentials,
     repack: flags.repack,
+    env,
   });
 
   if (moreBuilds) {
@@ -448,7 +461,6 @@ async function prepareAndStartSubmissionAsync({
   buildCtx,
   moreBuilds,
   projectDir,
-  buildProfile,
   submitProfile,
   selectedSubmitProfileName,
   nonInteractive,
@@ -457,7 +469,6 @@ async function prepareAndStartSubmissionAsync({
   buildCtx: BuildContext<Platform>;
   moreBuilds: boolean;
   projectDir: string;
-  buildProfile: BuildProfile;
   submitProfile: SubmitProfile;
   selectedSubmitProfileName?: string;
   nonInteractive: boolean;
@@ -469,7 +480,7 @@ async function prepareAndStartSubmissionAsync({
     profile: submitProfile,
     archiveFlags: { id: build.id },
     nonInteractive,
-    env: buildProfile.env,
+    env: buildCtx.env,
     credentialsCtx: buildCtx.credentialsCtx,
     applicationIdentifier: buildCtx.android?.applicationId ?? buildCtx.ios?.bundleIdentifier,
     actor: buildCtx.user,

packages/eas-cli/src/build/validate.ts

@@ -9,9 +9,9 @@ import Log, { learnMore } from '../log';
 import { isPNGAsync } from '../utils/image';
 
 export function checkNodeEnvVariable(ctx: CommonContext<Platform>): void {
-  if (ctx.buildProfile.env?.NODE_ENV === 'production') {
+  if (ctx.env?.NODE_ENV === 'production') {
     Log.warn(
-      'You set NODE_ENV=production in the build profile. Remember that it will be available during the entire build process. In particular, it will make yarn/npm install only production packages.'
+      'You set NODE_ENV=production in the build profile or environment variables. Remember that it will be available during the entire build process. In particular, it will make yarn/npm install only production packages.'
     );
     Log.newLine();
   }

packages/eas-cli/src/commandUtils/flags.ts

@@ -38,6 +38,21 @@ export const EASEnvironmentFlag = {
   }),
 };
 
+// NOTE: Used in build commands, should be replaced with EASEnvironmentFlag when
+// the feature is public
+export const EASEnvironmentFlagHidden = {
+  environment: Flags.enum<EnvironmentVariableEnvironment>({
+    description: "Environment variable's environment",
+    parse: upperCaseAsync,
+    hidden: true,
+    options: mapToLowercase([
+      EnvironmentVariableEnvironment.Development,
+      EnvironmentVariableEnvironment.Preview,
+      EnvironmentVariableEnvironment.Production,
+    ]),
+  }),
+};
+
 export const EASVariableFormatFlag = {
   format: Flags.enum({
     description: 'Output format',