Jump to content
Please Use CODE Tags

Is GitIgnore OK (API keys)?

pythonmegapixel
By pythonmegapixel
in Programming
 Share
Posted

I'm writing an application which requires an API key. However, I also want to make this open source and push it to a public Git repository.

Obviously I don't want to give my API key out publicly.

 

My plan is to store the key in a file called secret.txt which will be read in at runtime, and add secret.txt to the .gitignore file before committing to the repo.

 

Is that a safe way of hiding it or do I need to something more to make sure others can't get a hold of it?

____________________________________________________________________________________________________________________________________

 

 

____________________________________________________________________________________________________________________________________

pythonmegapixel

into tech, public transport and architecture // amateur programmer // youtuber // beginner photographer

Thanks for reading all this by the way!

By the way, my desktop is a docked laptop. Get over it, No seriously, I have an exterrnal monitor, keyboard, mouse, headset, ethernet and cooling fans all connected. Using it feels no different to a desktop, it works for several hours if the power goes out, and disconnecting just a few cables gives me something I can take on the go. There's enough power for all games I play and it even copes with basic (and some not-so-basic) video editing. Give it a go - you might just love it.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

normally you would save these in a .env file then load them into your environment before starting your application.

 

for node i use env-cmd, for python i use python-dotenv. You didn't say what language you are using but this is a common pattern and there should be some module to help you out

 

https://www.npmjs.com/package/env-cmd

https://pypi.org/project/python-dotenv/

                     ¸„»°'´¸„»°'´ Vorticalbox `'°«„¸`'°«„¸
`'°«„¸¸„»°'´¸„»°'´`'°«„¸Scientia Potentia est  ¸„»°'´`'°«„¸`'°«„¸¸„»°'´

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
1 minute ago, vorticalbox said:

normally you would save these in a .env file then load them into your environment before starting your application.

 

for node i use env-cmd, for python i use python-dotenv. You didn't say what language you are using but this is a common pattern and there should be some module to help you out

This doesn't answer the question though. If I just put .env in the .gitignore file, is that sufficient security to prevent the key from accidentally reaching the public repository, or do I have to do something else?

____________________________________________________________________________________________________________________________________

 

 

____________________________________________________________________________________________________________________________________

pythonmegapixel

into tech, public transport and architecture // amateur programmer // youtuber // beginner photographer

Thanks for reading all this by the way!

By the way, my desktop is a docked laptop. Get over it, No seriously, I have an exterrnal monitor, keyboard, mouse, headset, ethernet and cooling fans all connected. Using it feels no different to a desktop, it works for several hours if the power goes out, and disconnecting just a few cables gives me something I can take on the go. There's enough power for all games I play and it even copes with basic (and some not-so-basic) video editing. Give it a go - you might just love it.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
3 minutes ago, pythonmegapixel said:

This doesn't answer the question though. If I just put .env in the .gitignore file, is that sufficient security to prevent the key from accidentally reaching the public repository, or do I have to do something else?

yes.

                     ¸„»°'´¸„»°'´ Vorticalbox `'°«„¸`'°«„¸
`'°«„¸¸„»°'´¸„»°'´`'°«„¸Scientia Potentia est  ¸„»°'´`'°«„¸`'°«„¸¸„»°'´

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

You can still stage ignored files using the -f flag, something to keep in mind

🙂

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

So just covering some basics, files you are about to commit are called staged files, so when you do a `git commit -m "Hello world"` you will be creating a new change with the staged files.

 

Entries in the `.gitignore` file will prevent you from staging those files. So if you put `.env` file name in your `.gitignore` you won't stage it, however I can't speak for git gui tools and how they work, like @duncannahyou can force stage a file.

 

Usually before I commit work I check what is staged, you can do this with `git status` so if you see your `.env` file is staged, then you can unstage the file with `git reset .env`.

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Programming

×