How do you handle sensitive data in a public git repo?

自古美人都是妖i 提交于 2019-11-28 21:17:09

Try to use .gitattributes for path with configured encryption/decryption filter:

*secure.yml filter=crypt

And in the .git/config add the configuration for crypt filter:

[filter "crypt"]
    clean = openssl enc ...
    smudge = openssl enc -d ...
    required

Arguably you shouldn't hardcode these properties into your source, since an administrator will want the option to change them on a given system. If these properties are in a properties file (e.g. in your home directory) the problem is solved.

For users that might run into trouble you can check in a defaults file that they can copy to their home folder and modify. If the error messages and README are clear on the subject of missing this particular file this setup will work quite well.

simont

The best solution would be a private git submodule and a public git repository.

See this quesiton for more information; a nice quote for you:

When you exclude or ignore you are just keeping files from being added to your repository. none of the 'sensitive files' files are even in the repository, just in your working directory.

If someone need for their Android project, there is the simplest way I find:

step 1: create: res/values/secrets.xml with:

<!-- Inside of `res/values/secrets.xml` -->
<?xml version="1.0" encoding="utf-8"?>
<resources>
    <string name="parse_application_id">xxxxxx</string>
    <string name="parse_client_secret">yyyyyy</string>
    <string name="google_maps_api_key">zzzzzz</string>
</resources>

step 2: use it in code or xml file

getString(R.string.parse_application_id),
getString(R.string.parse_client_secret)

or

<meta-data
    android:name="com.google.android.maps.v2.API_KEY"
    android:value="@string/google_maps_api_key"/>

step 3: add this line into .gitignore file

 **/*/res/values/secrets.xml

here is the full article

The "default" secret information file is a good idea, however, there is no way to avoid the git warnings, even if you ignore the file. From the github help page:

git will not ignore a file that was already tracked before a rule was added to this file to ignore it. In such a case the file must be un-tracked, usually with git rm --cached filename

Therefore, adding a "dummy" or "default" file and then ignoring it won't prevent warnings. While the approach will work, it will be inconvenient as you will always have to manually exclude the sensitive file from every commit.

Untracking the file removes it from github, which defeats the purpose of having the file in the first place.

Perhaps the submodule suggestion will work.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!