Github environment variables

[apoyusiken]

How do i have secrets on my public repo? I did some research and it looks like i cant.

[Skipple]

Huh? Can you please be a bit more explicit about what you are trying to do or what the issue is? 

Environment variables should not be stored on GitHub, especially in a public repo. 

[apoyusiken]

1 hour ago, Skipple said:

Huh? Can you please be a bit more explicit about what you are trying to do or what the issue is? 

Environment variables should not be stored on GitHub, especially in a public repo. 

yea thats the thing. so i vibecoded a web app and it uses a firebase database so i dont want random people eating up my quota, so i hardcoded a passcode but i host this on github pages so it must be public. you might say ditch github pages but people probably wont come across my site so it is ok for this project, however it is surprising there doesnt seem to be a way to do this securely.

[Skipple]

46 minutes ago, apoyusiken said:

yea thats the thing. so i vibecoded a web app and it uses a firebase database so i dont want random people eating up my quota, so i hardcoded a passcode but i host this on github pages so it must be public. you might say ditch github pages but people probably wont come across my site so it is ok for this project, however it is surprising there doesnt seem to be a way to do this securely.

No, there isn't, because this isn't what GitHub pages is meant for. It made for static web pages, not something that is going to reach out externally.  This is the issue with vibecoding your way and your don't know why you are doing what you are doing. This is exacerbated when it comes to security and backend architecture. 

 

Host your core code, minus the environment variables on GitHub. Stand up a containerized environment(s) and define your environment variables in your compose document. Register a domain, point to your newly created site and link to your live site in the README.md

 

What's the need for firebase, rather than a simple Postgres instance? 

 

edit: some words to the wise: It's fine to vibe-code your way. I do it frequently. However, you should have, not only, an understanding of what your system is doing, but have a complete understanding of why are you doing it this way. When you don't have a full and complete understanding of something, or why you are doing something one way and not another, do research. Gain an understanding. Learn something. Otherwise, you are no better than a bad project manager without technical expertise writing requirements and moving items on a Jira board to done. 

[apoyusiken]

20 minutes ago, Skipple said:

No, there isn't, because this isn't what GitHub pages is meant for. It made for static web pages, not something that is going to reach out externally.  This is the issue with vibecoding your way when your don't know what you are doing when it comes to security and backend architecture. 

 

Host your core code, minus the environment variables on GitHub. Stand up a containerized environment(s) and define your environment variables in your compose document. Register a domain, point to your newly created site and link to your live site in the README.md

 

What's the need for firebase, rather than a simple Postgres instance? 

 

edit: some words to the wise: It's fine to vibe-code your way. I do it frequently. However, you should have, not only, an understanding of what your system is doing, but have a complete understanding of why are you doing it this way. When you don't have a full and complete understanding of something, or why you are doing something one way and not another, do research. Gain an understanding. Learn something. Otherwise, you are no better than a bad project manager without technical expertise writing requirements and moving items on a Jira board to done. 

thanks, your advice is profound actually and i follow it though i dont know why . I just cant accept something before i understand how it works, i had trouble learning logarithms bc my teacher didnt care to explain the mechanism. 

 

but yeah i know what im doing bro i guess i should edit my profile. 

 

if github doesnt have environmental variables how do you sync them?

 

 

[Skipple]

2 minutes ago, apoyusiken said:

if github doesnt have environmental variables how do you sync them?

I'm not understanding what your mean by 'sync them'. Environmental variables, are, by nature, unique to each deployment of the application and should not be included in your git repo. So, if I wanted to run your application on my own, I should be able to do so by cloning your repo and hosting it myself and supply my own parameters into the container (via docker compose, for instance) 

[apoyusiken]

1 minute ago, Skipple said:

I'm not understanding what your mean by 'sync them'. Environmental variables, are, by nature, unique to each deployment of the application and should not be included in your git repo. So, if I wanted to run your application on my own, I should be able to do so by cloning your repo and hosting it myself and supply my own parameters into the container (via docker compose, for instance) 

suppose you and me are developing an app and we have an api key. we might manually set that up but what if the team was larger?

[Skipple]

2 minutes ago, apoyusiken said:

suppose you and me are developing an app and we have an api key. we might manually set that up but what if the team was larger?

Highly dependant on the organization, but there are tools out there specifically for this purpose such as AWS Secret's Manager or HashiCorp Vault. In my organization we use a combination of Secrets Manager and Cyberark. 

[apoyusiken]

2 minutes ago, Skipple said:

Highly dependant on the organization, but there are tools out there specifically for this purpose such as AWS Secret's Manager or HashiCorp Vault. In my organization we use a combination of Secrets Manager and Cyberark. 

yea github should do this too basically

 

 

[Skipple]

4 minutes ago, apoyusiken said:

yea github should do this too basically

No, it shouldn't. Github is a code repository, not a hosting platform. You seem to be conflating the two. 

Git is not a server where your code executes. It is a place for your code to live and a way for it be maintained. 

[Skipple]

20 minutes ago, apoyusiken said:

yea github should do this too basically

To be perfectly clear, GitHub does have Actions which is a CI/CD pipeline engine and that does have a secret management integrated. (I personally have never used it, but I know that it exists) However, that's an entire separate side of GitHub, totally unrelated to GitHub pages. 

[apoyusiken]

1 hour ago, Skipple said:

No, it shouldn't. Github is a code repository, not a hosting platform. You seem to be conflating the two. 

Git is not a server where your code executes. It is a place for your code to live and a way for it be maintained. 

well still github builds many tools and could build one to transfer secrets if not to host.

 

so you wanna tell me about your homelab? (probably i need one )

[Skipple]

33 minutes ago, apoyusiken said:

so you wanna tell me about your homelab? (probably i need one )

Well, I will tell you about the piece of it that's relevant to you, my main server.

 

I have a Supermicro X9DRi-LN4+ with dual Xeon E5 v2 (I can't remember the exact variant, but they are old...), 96 GB of DDR3 ECC, 81 TB of spinning disks, and 500GB m.2 SSD for cache. 

I run Unraid on the system with one of the 18TB drives as parity. (this leaves me with 63TB of total storage)

I primarily use the server as my family's NAS and also the Plex machine for my friends and extended family.

 

In addition, I do run many other microservices on the device itself via Docker containers.

Here's an example of one that may be relevant to you: I have a Slack bot that I built myself for an online OOTP baseball league that I'm apart of. This bot takes commands from slash commands on slack, calls external apis, and stores data in a database. This database is instantiated as another container on the server. When my slack bot container is built, environmental variables are passed via docker compose with information such as the IP, port, and credentials for that point to the database.

 

This way, I could, in theory, make my github slack bot code public (I don't it's a private repo), build the image to dockerhub, fetch the image from my container handler, and only then pass the secrets via my compose information. 

 

Oh, any every HTTP call from outside my network is gets routed through a reverse-proxy (NginxProxyManager), also in a container, which then routes the traffic to the appropriate location based on domain and subdomain. 

 

I'm currently running 28 services via Docker, 2 VMs (a minecraft server, etc.), and the traditional handful of shares, all off a 2U box that's currently in my rack next to my desk. 

[apoyusiken]

44 minutes ago, Skipple said:

Well, I will tell you about the piece of it that's relevant to you, my main server.

 

I have a Supermicro X9DRi-LN4+ with dual Xeon E5 v2 (I can't remember the exact variant, but they are old...), 96 GB of DDR3 ECC, 81 TB of spinning disks, and 500GB m.2 SSD for cache. 

I run Unraid on the system with one of the 18TB drives as parity. (this leaves me with 63TB of total storage)

I primarily use the server as my family's NAS and also the Plex machine for my friends and extended family.

 

In addition, I do run many other microservices on the device itself via Docker containers.

Here's an example of one that may be relevant to you: I have a Slack bot that I built myself for an online OOTP baseball league that I'm apart of. This bot takes commands from slash commands on slack, calls external apis, and stores data in a database. This database is instantiated as another container on the server. When my slack bot container is built, environmental variables are passed via docker compose with information such as the IP, port, and credentials for that point to the database.

 

This way, I could, in theory, make my github slack bot code public (I don't it's a private repo), build the image to dockerhub, fetch the image from my container handler, and only then pass the secrets via my compose information. 

 

Oh, any every HTTP call from outside my network is gets routed through a reverse-proxy (NginxProxyManager), also in a container, which then routes the traffic to the appropriate location based on domain and subdomain. 

 

I'm currently running 28 services via Docker, 2 VMs (a minecraft server, etc.), and the traditional handful of shares, all off a 2U box that's currently in my rack next to my desk. 

thats super cool, so you dont need a gpu?

 

Is the plex accessible outside the local network then?

 

bro no offense, you are an expert at tech as far as i see and im a young enthusiast, i think it is hard for you to realize my ways arent so wrong after all . 

 

you didnt mention the os?

 

i dont get why do people not just host mc servers on their computers, can you explain?

 

running a homelab sounds good but i never found good uses for it. (dont roast me for using github pages instead )

[Skipple]

55 minutes ago, apoyusiken said:

thats super cool, so you dont need a gpu?

GPU is really only needed for transcoding, which I don't currently do.

55 minutes ago, apoyusiken said:

Is the plex accessible outside the local network then?

It is.

55 minutes ago, apoyusiken said:

you didnt mention the os?

Unraid is the operating system. 

55 minutes ago, apoyusiken said:

i dont get why do people not just host mc servers on their computers, can you explain?

I mean, a server is a computer. It's just a computer that serves things.

55 minutes ago, apoyusiken said:

you are an expert at tech as far as i see and im a young enthusiast. i think it is hard for you to realize my ways arent so wrong after all

I appreciate the compliment, but I'm not sure what you are getting at here. Your original post was questioning how to safely enter environments variables and host your site on github pages. That's simply not possible or secure for what you are trying to do. I'm trying to stear you in the correct direction. What you do with that is up to you. 

 

Listen what you are doing is best way to learn. Build something, try something new, break something, learn what you did wrong and fix it. Get at it, kid. 

[apoyusiken]

8 hours ago, Skipple said:

 

I mean, a server is a computer. It's just a computer that serves things.

 

i mean people have computers and still pay for mc servers i dont get the benefit this was on my mind for sime time actually .

 

8 hours ago, Skipple said:

appreciate the compliment, but I'm not sure what you are getting at here. Your original post was questioning how to safely enter environments variables and host your site on github pages. That's simply not possible or secure for what you are trying to do. I'm trying to stear you in the correct direction. What you do with that is up to you.

what im getting at is, if i asked you 100 times you would tell me to be secure 100 times, which makes complete sense because why would you like to have your head hurt. However in this case the risk is so low and so are the odds its just completely ok. I vibecoded another app which uses gemini api and i directly host that with firebase, i dont wanna run out of my gemini quota at all. Also you know you can never be secure, only more secure than others. 

 

Also i figure i can easily make this secure with hashing?