How do I hide a file from a single remote repo in git?
-
14-03-2021 - |
Question
I've got a project I'd like to start sharing on github which I'd set up as another remote repo. But I've got some sensitive configuration information (amazon s3 account details) that I don't want to obviously share on github.
Is there a way I can get the remote github repos to ignore the settings file, but have the local and other remote repos work with it?
EDIT - reopening this question to see if there are any other distributed source control systems (mercurial? bazaar? etc) that can do this?
Solution
Mercurial works the same as Git and you've already gotten good recommendations for that. However, you can setup an encode filter that will remove the password from the file in the repository.
The idea is that you version a file with
username =
password =
but have a file with filled in values locally. Mercurial will ignore the values when you run hg status
and hg diff
since it shows the results after encoding — the encode filter strips the sensitive information.
Something like
[encode]
settings.cfg = sed "s/(username|password) = .*/\1 =/"
should work. (I cannot test it right now, I'm in a tram.)
Simply not versioning the file is still the simple, normal, and recommended way to deal with this problem.
OTHER TIPS
You can ignore
your settings file but then it will never be version controlled.
What I do is to have 2 config files. One for production and one for dev which contain all the settings. Sensitive credentials are in another file "sourced" by the main config and these are not version controlled. Often, they're just two lines (username, password).
However, in general, there's no way to track a file but not push it.
Normally you can do this by having 2 config files (+1 if you want a sample config):
config
username=root
password=r00t
config.local
username=tkone
password=yoursecretpassword
config.local.sample (optional, but recommended)
username=replace with your local username and rename file to config.local
password=replace with your local password and rename file to config.local
.gitignore
config.local
In .gitignore
you need to put the config.local
file (the one you want to protect) and check in the config
(and config.local.sample
, if you decide to use one).
When someone will clone your project they will see the following files:
config
config.local.sample
.gitignore
all your other project files
Important!!! From your program when you load the config file you should check if you have a config.local file. If not, load the default one: config.
Conclusion
You avoid publishing config.local
, that contains your sensitive information. The default configuration (cloned from a remote) will work for a reasonable and rare case where username root and a password r00t are valid. The config.local.sample will provide local customization instructions (if someone needs them).
If they do create a config.local
file, it will get automatically ignored (because of the config.local
line from .gitignore
), but it will also get automatically used by your program instead of the default config
file.