1

I have a website with a staging subdomain that automatically updates when I push from my dev machine. I am excluding 2 files from commits because they contain credentials. I am not using .gitignore because this is a temporary solution to a larger problem of where to store credentials for production. I tried using environment variables in .htaccess but they seem to be more vulnerable to leaking as mentioned in this question-

https://security.stackexchange.com/questions/199248/why-use-env-whats-wrong-with-storing-secrets-in-a-config-php-file-outside-roo

In the meantime while I figure out a permanent solution, I put the credentials back in their files and exclude them from commits. The issue is when I push commits to the server, the excluded files revert to their previous version causing me to manually add the files after every time I push.

This question's answer had this comment-

Any sort of secret should be passed in through the environment or a config file. It's fine to create a template for this purpose and check that in, then have a script to copy it into an ignored location so that you can edit it and add the secret. For most major production systems, secrets are typically passed in through the environment so they aren't written to disk.

I am struggling with exactly how to implement this on my production server. I know it belongs in it's own question but I'm including it for additional context.

How do I stop git from reverting excluded files on every push?

jdf
  • 73
  • 7

1 Answers1

1

You might consider a content filter driver, that is:

  • a script able to take a template file, and produce the actual file (which remains untracked, private) automatically on checkout
  • a .gitignore which ignores the resulting generated file (you already have that)
  • a .gitattribute declaring a smudge content filter (see below)

The generation of the sensitive file is automated through a content filter driver, using a .gitattributes declaration.

https://i.stack.imgur.com/tumAc.png
(image from "Customizing Git - Git Attributes" from "Pro Git book"))

Once you declare that content filer driver in your local config, it will automatically, on git checkout/git switch, generate your (not tracked) file for you.
See a complete example in "Best practice - Git + Build automation - Keeping configs separate".

But this assume the script knows where to look for those credentials, in order to generate the actual file.
Said credentials could be store on the prod server, outside the checked out repository, in order for said script to read them and generate the correct files.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • Thank you for answering. This is going to take some time for me to understand. – jdf Feb 17 '22 at 01:33
  • @jdf No problem. It is a kind of hook in order to do any process you want on checkout/switch, like generated a private file. – VonC Feb 17 '22 at 01:39