I am considering publishing a project on github. It may contain sensitive data like API tokens, which I naturally do not want to be public. I would like to use the code locally with correct tokens, passwords etc, but only placeholders should go to the repository.
I could try to remember to remove this data every time before pushing (manually, automatically?), but then local and github copies are obviously different, and this seems error-prone anyhow.
What is good practice for this situation?
EDIT: For anyone looking at this. Just saw this excellent answer, it is well worth reading:
How can I save my secret keys and password securely in my version control system?
---Continue old answer---
Great question. See this post for a good start: Accidental API Key Exposure is a Major Problem
I generally try to keep all my api tokens in an external file.
I exclude that file in .gitignore:
##################
#Ignore API token#
##################
token.txt
Then I read the token from the file (working in python):
#import token from token.txt file in same directory
token_file = os.path.join(path, "token.txt")
with open(token_file, 'rb') as f:
token = f.read().replace('\n', '')
Since I never push the token file it never gets exposed.