The objective for 21RISK was to create a flexible setup that makes it possible to automate every action of CI/CD while providing the powerful features of Vercel review apps. All of this, while having security top of mind.
Vercel is a kick-ass platform for front-end development, the perfect platform for ambitious web projects where performance is critical.
MongoDB is a flexible database, capable of scaling globally without issues.
Doppler is secret as a service - never again do you have to think about .env files
To prepare our project for the future of edge functions, we decided to remove the usage of process.env in our Sveltekit project. Instead, we now import secrets from the $env/static/private module. No more syncing secrets to Vercel. When we run the project locally, we use the Doppler CLI to inject secrets, and when building our application we also use the Doppler CLI/REST API to inject secrets. We only have one secret, the Doppler Service Account token in our Vercel project.
When a developer at 21RISK pushes code to our repo, a Github action is triggered. The action uses a special Doppler admin service account token and creates a new Doppler branch configuration. After creating the branch configuration, the Github action script updates the MONGO_DB_NAME secret. The value will be a safe version of the branch name, deterministically determined - more on this later.
Now let’s look at the build script starting up at Vercel. This build script polls Doppler, to wait for the GA action to finish. It then streams data between our development environment, and a new database (on an existing Atlas cluster). What is a review app without data?
Now it’s time to build our Sveltekit application. On Vercel we can’t use the Doppler CLI, so we use the Doppler REST API to fetch the secrets from the newly created Doppler config.
Now the script simply syncs MongoDB JSON validation schemas, indexes, and Atlas search definitions to the newly created database. And finally, the build script runs any database migrations, if there are any.
The end result is a review environment with some of the following features/benefits:
The developer can play around with new secrets configuration because we are using a Doppler branch config
The database is running in a MongoDB Atlas M10 cluster, so the development of Atlas search indexes is also possible.
It’s easy for the developer to connect to the dev cluster, and access the correct database because it uses the friendly branch name.
The developer can even serve the review environment locally, simply by running npm run dev – <name-of-branch-config>.
All of this, without compromising any stage/production secrets to the developer as all sensitive operations are done in a Github Action.
When the pull request is closed, we then run a simple GitHub Action to remove the Doppler config and MongoDB database. If you are interested in more details or have any questions, you can always contact here.