Vulnerability in EPiServer.Forms
I cant find any information for updating web.config settings when using the deployment API. so updating the sendgrid api username/password for instance.
I was doing this using the paramters.xml and a replace token task when using web deploy.
Can someone point me in the right direction for getting this setup when using the deployment api please, as this is deploying a nupkg which his basically a zip, and there doesnt seem to be the paramters.xml/setparameters.xml when using this method.
Do i in fact need to update the config as part of the package creation instead?
When you're deploying using the deployment API, the config transforms for your target environment will be run so, if you replace your values in the transforms (e.g. web.integration.config) rather than directly in web.config before building your package, the correct values should be applied when the package is deployed.
As Paul said above you want the config transforms in the package you push. They will be applied against the root web.config, you can see the structure of the config files as shown here https://world.episerver.com/documentation/developer-guides/digital-experience-platform/deploying/episerver-digital-experience-cloud-deployment-api/deploy-using-code-packages/code-packages/
So the steps should be
Thanks for the replies,
its not the transforms as much as the replacement of secrets that are not in the code, which in the old process were done as part of the 'release' process. But seems when using the deployment API these secret replacements need to happen as part of the 'pipeline' (build) instead. Which I guess means the package has the secrets already in the web.config (or transforms files), rather than them being applied on deployment to the app service.
Just wanted to make sure there was no way to do this as part of the release when using the Deployment API - which seems a 'safer' place to do it.. although only marginally I suppose.
No there's no way of doing that in the deployment API. There 4 ways you can do this in normal application would be
You are unlikely to be able to use 3 as Episerver don't usually allow you to change settings on the web app. Azure keyvault is very popular for credential storage now. But if you don't want to use that the best place would be Azure Devops as you said, they would then as stated go in to the nuget package so if someone had access they would get it.