How to push code to Github hiding the API keys?
You should consider using .env
files and read the keys from the environmental variables. How to do so depends on the language and tools you use (for node.js, php, etc.).
You can exclude .env
file from commits by adding .env
to the .gitignore
. You can also upload an example configuration .env.example
with dummy data or blanks to show the schema your application requires.
You can add enviornment variables in your server to hide your API keys. All popular programming languages have default methods to acess the enviornment variables.
Any time you have files with sensitive data like
config.yml
you MUST NOT commit them to your repository. I'll show you an example.
Suppose you have a yaml file with some username and password:
# app/config/credentials.yml
credentials:
username: foo
password: bar
If you want to hide the foo
and the bar
values, remove this file from your repository, but add a distribution
file that aims to maintain username and password fields, but without any real values:
# app/config/credentials.yml.dist
credentials:
username: ~
password: ~
During installation you can get this file by copying app/config/credentials.yml.dist
to app/config/credentials.yml
.
Also, remember to add app/config/credentials.yml
to your .gitignore
file.
Its the same with api keys:
# app/config/config.yml
config:
credentials:
username: foo
password: bar
api_stuffs:
api_foo: fooooo
api_secret: baaaaar
api_token: tooooken
This works well for configuration files, and is a good pattern that saves you every time you need to share the structure of a configuration but not sensitive data. Init files, configurations and so on.