31

I have a project on GitHub behind a private repository. I want to make the repo public. However, my project uses secret keys.

How can I make the project public while still protecting the "history" of those secret keys? I'm guessing I'm SOL, and should simply invalidate the keys to prevent their use.

Note that this is not the same question as How to open-source an application that uses API keys

or

How to handle 'open-sourcing' your application, when it uses a personal API key?

As my project is already on Git, the entire source history can be easily viewed. What I suppose I could do is branch off a separate project with the API keys hidden, and make that repo public. But then users would miss out on the entire branching history, which they may be curious about (I know I would).

Community
  • 1
  • 1

3 Answers3

26

You could remove the secret keys using the git-filter-repo tool, see this explanation in the GitHub documentation.

git-filter-repo is much preferable to the older git filter-branch.

My old, now somewhat out-of-date answer:

You could remove the secret keys from the repository using a hammer like git filter-branch. There is a nice explanation on GitHub's help pages.

MForster
  • 8,806
  • 5
  • 28
  • 32
  • My secret keys are for instance in settings.py. Would the solution be to rip that file out of the entire history and then recommit it without the secret information? – Alper Oct 29 '15 at 14:13
  • 1
    That's the simplest option and the one explained on the linked page. But the command passed to `git filter-branch` can basically do anything that you want, for example pass the file through `sed`. – MForster Feb 01 '16 at 17:34
  • 14 years later, that GitHub link is no longer with us. Here are the [git docs for `filter-branch`](https://git-scm.com/docs/git-filter-branch), but they suggest not using it. Instead, here's a link to [a different GitHub help page](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository) describing newer ways to accomplish the same goal (such as using `git filter-repo` or BFG Repo-Cleaner). – DukeSilver Jan 24 '23 at 08:27
0

I used a new .gitignore which already excluded all the private stuff/secret keys and copied everything into a fresh repository. If I ever need access again to the old git history, I have left a copy of it.

bcye
  • 758
  • 5
  • 22
0

Check out git-castle (https://www.npmjs.com/package/git-castle)!

You can add contributors to your whitelist and allow them to use your keys.

Ajay Raj Merchia
  • 1