Rollback

How Releases Work

Every ev push and ev promote creates an immutable release snapshot. A release contains:

The full set of secret key-value pairs at that point in time
Timestamp and author
An optional message (from ev push -m or ev rollback -m)
A unique release ID (shown in ev log)

No release is ever deleted. The full history is always available.

Rolling Back

There are three ways to identify the release to roll back to:

Interactive

Run ev rollback with no arguments to see recent releases and choose one:

ev rollback

  rel_a1b2c3d4  2024-01-15 14:32:01  alice@example.com  "add STRIPE_KEY"       12 secrets
  rel_9f8e7d6c  2024-01-14 09:11:44  bob@example.com    "initial push"         11 secrets
> rel_5a4b3c2d  2024-01-13 16:05:22  alice@example.com  —                      10 secrets

Roll back to rel_5a4b3c2d? [y/N]

Relative Offset

Use ~N to go back N releases from the current latest:

ev rollback ~1    # one release back
ev rollback ~3    # three releases back

Partial Release ID

Copy a release ID from ev log — you only need enough characters for a unique match:

ev rollback 5a4b3c

What Rollback Does

Fetches the target release from the server
Creates a new release with the target release's secrets as the contents
Records who performed the rollback and when
Leaves all intermediate releases intact — nothing is deleted

The server is now at the rolled-back state. Your local .env is not changed automatically.

After Rollback

Run ev pull to update your local .env to match the new server state:

ev rollback ~1
ev pull

Limitations for External Backends

When using AWS Secrets Manager as a backend, ev rollback is not supported. AWS SM has its own versioning system (AWSPREVIOUS and version stages) that you can use instead.

# AWS CLI equivalent
aws secretsmanager get-secret-value \
  --secret-id /myapp/prod/DATABASE_URL \
  --version-stage AWSPREVIOUS

For full rollback support including the ev rollback command, use ev's default encrypted backend.

Rollback

On this page