gitversion-controlversioning

What is best practice for keeping secrets out of a git repository?


Problem

Consider this file tree as my development repository.

 - foo/
   - .git/
     - [...]
   - bar/
     - backupclient.py
   - supersecretstoragecredentials.ini

For development, supersecretstoragecredentials.ini needs to be filled in with valid credentials - while I still have to keep a clean version of it in the repository so that other users can easily set their credentials.

Possible solutions

  1. .gitignore supersecretstoragecredentials.ini and create a supersecretstoragecredentials.ini-example,
    1. instruct the user to copy supersecretstoragecredentials.ini-example to supersecretstoragecredentials.ini.
  2. Add an overriding config file location in backup.py which is ignored by git, e.g. supersecretstoragecredentials_local.ini.

As kan pointed out, these two solutions are similar but not entirely the same, workflow-wise.

are there any other alternatives? Does git possess some kind of functionality to assist with this kind issues?


Solution

  • Check in the supersecretstoragecredentials.ini file with some placeholder values and then

    git update-index --assume-unchanged supersecretstoragecredentials.ini
    

    Git will not track future changes to this file.

    You can reset this using

    git update-index --no-assume-unchanged supersecretstoragecredentials.ini