2

I have a repository on GitHub that I would like to make public so recruiters can view it. This repository though holds my SMTP and a MongoDB URI that shouldn't be shared with others. This information is in my application.properties file.

What's the simplest way to hide this sensitive data and also make sure no one can go look at old commits and see how it was before hiding it?

I have seen some ways on the web but they all look quite complicated...

Thank you for your experience and time

  • I may write this up as a full-fledged answer when I have the time later, but this seems to be exactly what you're requesting: https://stackoverflow.com/a/19873725/1108305 – M. Justin Nov 13 '20 at 23:12

4 Answers4

1

Use environment variables to hide your sensitive data. Like

spring.data.mongodb.host=${MONGO_DB_HOST}
spring.mail.host=${MAIL_HOST}

Set the values at your dev environment.
I don't have any idea about how to hide your old commits.

Shawrup
  • 2,478
  • 2
  • 12
  • 21
0

Make a .gitignore file at the root of your project and inside list whatever files you don't want git to have access to it when you push into GitHUb, for example:

/public/packs
/node_modules/
.pnp.js

/ (forward slash) is used for folders and . (dot) is used for files

Here follows a picture of the location of the .gitignore file.

enter image description here

R_D
  • 24
  • 4
  • Hi, R_D. Seems a nice idea, but what if in the application.properties file there are important configurations that the recruiter should be able to view? –  Nov 13 '20 at 21:37
  • If the push is the full git commit history (which it looks like the asker wants), I believe the file will still be visible when checking out older commits. It's just the newest commit that won't have it. – M. Justin Nov 13 '20 at 21:43
  • There are two ways: 1) You separate them: things that recruited can see and one with sensitive data and you gitignore it. 2) You can substitute your own secret info with . Like a placeholder-ish. – R_D Nov 13 '20 at 21:44
  • Once you pushed data, you have to delete the repo and start over doing the options above. – R_D Nov 13 '20 at 21:45
0

If the goal is just for recruitment, would it be acceptable to have a second copy for recruitment, while leaving the original copy alone?

While there's certainly more idiomatic ways of achieving this through git, a simple solution with minimal git knowledge or advanced techniques would be:

  1. Create a new empty git project on GitHub
  2. Clone the new project locally
  3. Copy the (non-.git) files from the existing project into the new project (using either the console or your OS's windowed UI)
  4. Delete or redact the offending entries from the new project
  5. Commit the changes as a single commit
  6. Push the new project back to GitHub
M. Justin
  • 14,487
  • 7
  • 91
  • 130
0

I have not used it myself, but the open source BFG Repo-Cleaner looks like it might satisfy your requirements of simplicity while retaining the activity chart for reviewers to view. This can be done on a publicly-facing copy of the repo if you wish to keep your private working copy, while still keeping the activity history viewable.

Following the tool's usage instructions, you should be able do the following (assuming you want these changes in a fresh copy of the repo):

The first step is to duplicate the repository on GitHub, following the instructions in the GitHub docs.

To do this, first create a new repository.

Next, mirror the repository, following the GitHub instructions:

  1. Open Terminal.
  2. Create a bare clone of the repository.
$ git clone --bare https://github.com/exampleuser/old-repository.git
  1. Mirror-push to the new repository.
$ cd old-repository.git
$ git push --mirror https://github.com/exampleuser/new-repository.git
  1. Remove the temporary local repository you created earlier.
$ cd ..
$ rm -rf old-repository.git

Now that you have the duplicate repository, you can run the BFG Repo-Cleaner to replace all instances of text you want hidden with ***REMOVED***.

$ java -jar bfg.jar --replace-text replacements.txt  my-repo.git

The replacements.txt file would contain the SMTP, MongoDB URI, and any other text you want hidden.

mongodb://my-username:my-password@host1.example.com:27017,host2.example.com:27017/my-database
marco-f@example.com

Note that this does not update the latest commit on the master/HEAD branch, so this will need to be manually changed, and then committed. This can either achieved using a final commit using the --amend option, or by making a new commit prior to running the BFG Repo-Cleaner with the files manually changed.

$ git commit --amend

Now that the changes have been made, they can be pushed to GitHub.

$ git push
M. Justin
  • 14,487
  • 7
  • 91
  • 130
  • Hi Justing. So I have tried this and even though it looked like it worked and that bfg made changes to application.properties files, the sensitive data is still there. I will update you if I manage to find out why. P.s: I think entries in the replacements.txt files should have a different separtor, because BFG was telling me it couldn't find text to be changed, but it didn't complain when I used a single entry at a time in the file replacements.txt –  Nov 14 '20 at 11:19