I’d suggest reading this article that goes into extensive details on best practices with environment variables:
But, TL;DR, I wouldn’t use dotenv at all - I’d be using javascript (during build!) to fetch from the env var you have set in the netlify UI. Saner to put sensitive values in our UI than in your repo (where anyone who gets access to your code can find it).