The previous answer by Shaun is very thorough.
Additionally I'd like to recommend to use .gitignore to your advantage to avoid ever committing files with sensitive information.
Any file containing API keys or passwords, etc. should be in .gitignore. Typically this includes:
database.yml
log/*
tmp/*
If you have API keys assigned to constants in code files, I'd recommend putting all the API keys, passwords, etc. into a site.yml file. Then add this file to .gitignore and add an initializer to parse this file into a constant. Use that constant to access the secret data.
For example:
config/site.yml:
hoptoad_api_key: ABCDEF1234567890
config/initializer/01_site.rb
SITE = HashWithIndifferentAccess.new(YAML.load(File.open(File.join(Rails.root, 'config', 'site.yml'))))
config/initializer/hoptoad.rb
HoptoadNotifier.configure do |config|
config.api_key = SITE['hoptoad_api_key']
end
Note that the initializers are run in alphabetical order. If you need the SITE constant in other initializers, be sure to name the file that reads the configuration with a leading number so that it gets run first.
To be more user friendly for an open source project, you should include a database.yml.sample and site.yml.sample file with examples and/or explain needed configurations in your README.
