How to push code to Github hiding the API keys?

You should consider using .env files and read the keys from the environmental variables. How to do so depends on the language and tools you use (for node.js, php, etc.).

You can exclude .env file from commits by adding .env to the .gitignore. You can also upload an example configuration .env.example with dummy data or blanks to show the schema your application requires.


You can add enviornment variables in your server to hide your API keys. All popular programming languages have default methods to acess the enviornment variables.


Any time you have files with sensitive data like

config.yml

you MUST NOT commit them to your repository. I'll show you an example.

Suppose you have a yaml file with some username and password:

# app/config/credentials.yml
credentials:
    username: foo
    password: bar

If you want to hide the foo and the bar values, remove this file from your repository, but add a distribution file that aims to maintain username and password fields, but without any real values:

# app/config/credentials.yml.dist
credentials:
    username: ~
    password: ~

During installation you can get this file by copying app/config/credentials.yml.dist to app/config/credentials.yml.

Also, remember to add app/config/credentials.yml to your .gitignore file.

Its the same with api keys:

# app/config/config.yml
config:
    credentials:
        username: foo
        password: bar
    api_stuffs:
        api_foo: fooooo
        api_secret: baaaaar
        api_token: tooooken

This works well for configuration files, and is a good pattern that saves you every time you need to share the structure of a configuration but not sensitive data. Init files, configurations and so on.