Is it safe to have the GCP projectID committed to the remote code base?

Question

I want to deploy my github project to firebase using github actions and the project id is exposed in the .firebaserc file. Is it safe for make to commit my code to github with the GCP projectID exposed? Also, I've tried to search for a work around but it seems not to be a concern.

Answer 1

It depends entirely on what you mean by "safe", and what you are giving up to anyone who knows (or can guess) your project ID.

If your exposed project ID has computing resources allocated to it, and those resources can be discovered by what you provide in source control, and those resources are accessible to the public, then you are on the hook to pay the billing for those resources if they might get used.

If your exposed project ID has any public API endpoints that are not protected by some form of authentication, anyone could possibly discover those endpoints, reverse engineer them, and use them to gain the data that those endpoints could possibly deliver.

Even if you do not expose your project ID, someone could guess it and still do all of the above.

In general, I personally would not put any information related to the identification of my projects in public source control. I would leave that a matter of configuration, to be read from environment variables or git-ignored files that must be provided by the person working on the project. That is the safest and least problematic approach.

However, if you want to sacrifice security for convenience, that's entirely up to you. Just be sure you are comfortable with the ramifications of doing so.

See also: Is it safe to expose Firebase apiKey to the public?