We want CI/CD to inject the production connection string into a .NET Framework app.config during deployment.
- In source control, we only want test/staging DB connection strings.
- Developers should still be able to debug locally with test/staging DBs.
- At deployment, the CI/CD pipeline should replace the connection string with the production one (stored in GitHub Secrets).
Question:
What’s the recommended way to update or override app.config connection strings in a GitHub Actions workflow for a .NET Framework application?
-
does this work : github.com/marketplace/actions/json-file-transformEwan– Ewan08/28/2025 10:34:37Commented Aug 28 at 10:34
-
1oh sorry, if you are still on xml : github.com/marketplace/actions/…Ewan– Ewan08/28/2025 10:37:39Commented Aug 28 at 10:37
-
1There's an alternative approach: only inject a secret name, and have the app fetch that secret from some centralized provider (AWS Secrets Manager / TF Vault / GCP Secret Manager / ...).STerliakov– STerliakov08/28/2025 18:05:10Commented Aug 28 at 18:05
1 Answer 1
I think the modern way of doing this is not to do it at all.
ie. In your config you use a dns entry like "database" or "api" then you deploy to containers with hostnames matching the dns or other fake dns setup. Using the user the app runs under for access control.
You can also allow env variables to override the file settings, then set those on your prod/dev machines accordingly.
The idea is to keep connection strings and other secrets out of source control, and build pipelines, completely. Even if they are just dev ones.
There is an argument that you even want to keep this kind of thing out of deployment pipelines as well as build. The idea begin that you might want the db password to be automatically rotated without a deployment of the code.
Explore related questions
See similar questions with these tags.