I have a project on Azure DevOps that uses an appconfig.
The appconfig holds sensetive data like usernames and passwords and is committed empty to the repo.
I have to deploy the project on two different environments that need two different appconfigs to run.
What would be the best practice in this case?
I'm conflicted between saving the appconfigs for the different environments and selecting the appropriate one to deploy vs them holding sensitive data and not wanting to save it anywhere.
What I've done in the past in this scenario is use a combination of SlowCheetah and ReplaceTokens.
With SlowCheetah, you can create different app.config files for the different environments. It might not necessary to create different app.config files for the different environments, but I mostly do it because it makes it easier to separate executing the application locally and in production.
With the ReplaceTokens task in an Azure Release pipeline, you can replace certain tokens in an app.config (or other configuration files) with variables that are defined in the Release pipeline itself. I understand your concern about protecting sensitive data like usernames and passwords; the Azure Release pipelines support 'hidden variables', so you can hide your sensitive data; just mark these variables as 'hidden' by clicking on the picture of the key lock at the right of the value box.
For a really secure application you might use the Azure KeyVault, but that might be a too complex solution for this.
