How to make sure API tokens & passwords stay off github

Question

I am considering publishing a project on github. It may contain sensitive data like API tokens, which I naturally do not want to be public. I would like to use the code locally with correct tokens, passwords etc, but only placeholders should go to the repository.

I could try to remember to remove this data every time before pushing (manually, automatically?), but then local and github copies are obviously different, and this seems error-prone anyhow.

What is good practice for this situation?

Answer 1

EDIT: For anyone looking at this. Just saw this excellent answer, it is well worth reading:
How can I save my secret keys and password securely in my version control system?

---Continue old answer---

Great question. See this post for a good start: Accidental API Key Exposure is a Major Problem

I generally try to keep all my api tokens in an external file.

I exclude that file in .gitignore:

##################
#Ignore API token#
##################
token.txt

Then I read the token from the file (working in python):

#import token from token.txt file in same directory
token_file = os.path.join(path, "token.txt")

with open(token_file, 'rb') as f:
    token = f.read().replace('\n', '')

Since I never push the token file it never gets exposed.