By using dotenv I can ignore development .env file before pushing it to the git repository, it comply with The Twelve-Factor App config factor. It prevent configuration from exposing to others especially open source project.
But I am stuck when deploying it to the production, either using cloud deployment or using docker.
How can I include this file? Should I save the file into Vault or something?
Please help me to understand how can I secure my deployment environment.
You don't. The server environment (docker or otherwise) needs to be configured with its own environment variables, not the development ones. Any that will be the same in both you configure as default values for the application so that they have that value even if the variable isn't set.