How do I commit a file for only some users in a git repo?

Question

I am pretty sure people have faced this issue before, but I am not able to find any solution.

I have been working on an android library and plan to make it open source by putting it on GitHub. I would like to, however, only expose the maven upload creds to some specific authorised users - the core maintainers of the library.

How is this possible? If I store the username and password in a file and add it to gitignore, I won't be able to share it with anyone else via GitHub. However, if I do add the file to git, it will end up going to a public repo and being shared with everyone.

Is there some way to specify in git that a given file should only be accessed by people whose email ids fall in a specified list? Am I missing something very obvious?

Git does not operate on *files*. Git operates on *commits*. Each commit holds a full snapshot of *every* file, and you either hand out the entire commit, or you don't. So do not put private files into a repository. See also [this question](https://stackoverflow.com/q/23408141/1256452). — torek, Apr 23 '21 at 10:15
git is not the right tool for this job: you should not commit credentials as part of your code, ever. The question then becomes "how do I manage credentials needed by my code?" which is too broad for this site, but you should be able to find lots written about it online if you look. — IMSoP, Apr 23 '21 at 11:04

Schwern · Answer 1 · 2021-04-23T21:55:35.020

I would like to, however, only expose the maven upload creds to some specific authorised users - the core maintainers of the library.

You can't. Git is not an authentication manager. It does not operate per file, only per commit.

There are other options.

Put your shared credentials into an encrypted file. Commit that file. Hand out the decryption key. This is similar to Rails Encrypted Credentials.
Use a shared secrets vault such as HashiCorp Vault or a shared password maanger vault. This has the advantage of never exposing your credentials in a public repository, even encrypted.

In both cases no matter how many shared secrets your project has you only need to share one secret, a decryption key or shared vault access.

score 0 · Accepted Answer · answered Apr 28 '21 at 08:59

I am going forward with the most straightforward approach I could find.

I'll be storing sensitive data in local.properties file, which is not checked into version control. This works for my project as currently I am the sole admin. If more people join, I'll need to share the file's contents manually with them, but that's okay with me for now.

This solution won't work for teams with more collaborators, or where such roles might need to be assigned/changed dynamically.

How do I commit a file for only some users in a git repo?

2 Answers2