githubprivacysensitive-data

How to make sure API tokens & passwords stay off github


I am considering publishing a project on github. It may contain sensitive data like API tokens, which I naturally do not want to be public. I would like to use the code locally with correct tokens, passwords etc, but only placeholders should go to the repository.

I could try to remember to remove this data every time before pushing (manually, automatically?), but then local and github copies are obviously different, and this seems error-prone anyhow.

What is good practice for this situation?


Solution

  • EDIT: For anyone looking at this. Just saw this excellent answer, it is well worth reading:
    How can I save my secret keys and password securely in my version control system?

    ---Continue old answer---

    Great question. See this post for a good start: Accidental API Key Exposure is a Major Problem

    I generally try to keep all my api tokens in an external file.

    I exclude that file in .gitignore:

    ##################
    #Ignore API token#
    ##################
    token.txt
    

    Then I read the token from the file (working in python):

    #import token from token.txt file in same directory
    token_file = os.path.join(path, "token.txt")
    
    with open(token_file, 'rb') as f:
        token = f.read().replace('\n', '')
    

    Since I never push the token file it never gets exposed.