When we first setup a Heroku pipeline using review apps, the best way to manage credentials wasn’t clear. Here’s what we came up, which is working really well and gives us great flexibility.
The simple gist below pulls in the correct credentials for all pipeline stages shown above – without resorting to environment-dependent code.
Given that all credentials are in the environment-specific encrypted files, it is easy to override any credential using an environment variable. So both the review-app and staging can run with Rails production environment settings, AND the review-app can use Stripe test credentials while staging uses Stripe live credentials.