Is it prudent to save Firestore security rules in the public source control of the application code (Github)?
In addition what is the best way to deploy the security rules automatically when cloning the repository and installing the application for the first time (For an Open Source project purposes)? In my case it is an Android app built with Gradle in Android Studio.
The Firebase security rules may be considered slightly more sensitive than other source code found in your source code repository. That being said, it is ok to store them alongside the rest of the source for your application. If you have chosen to host your application's source code in a public repository, then you already have a certain comfort level with exposing the inner workings of your application.
An argument can be made that exposing how your Firebase resources are secured could help bad actors in finding loopholes and exploiting your application but the same can be said of the rest of your application's source code.
While there are advantages to store your security rules in your source repository (i.e. version control), you may want to consider configuring rules in the Firebase console. This will not work if you intend on setting up a continuous integration and deployment process.
You could also consider storing your security rules in a separate private repository and leverage the Firebase CLI to automate deployment from that private repository, for example:
cd ../my-project-security-rules
firebase --project my-project deploy --only firestore:rules
Your my-project-security-rules repository would need to include a slimmed down version of your firebase.json configuration file, for example:
{
"firestore": {
"rules": "firestore.rules",
"indexes": "firestore.indexes.json"
}
}
See https://firebase.google.com/docs/cli/#partial_deploys for more information about partial deploys via the Firebase CLI