How to manage sensitive data when using Git on a public repo
When pushing code to a public repository like Github it is important to ensure that sensitive information such as your passwords and API keys are not compromised. Often we want to track configuration files that store passwords and API keys but we do not want to commit our actual keys. One way we can achieve this is by using git update-index
with the --assume-unchanged
flag.
For example, to access API services like Google maps for android we need to register for a key. Once you have a key you are granted access to make API calls to the service. You can keep your keys private while sharing your code on a remote repository like Github by checking in a default configuration file without your sensitive key. Once pushed, you can then use --assume-unchanged
flag to tell Git to stop checking for modifications to this file on your local repository.
git update-index --assume-unchanged <your-file-with-sensitive-key>
Once set, Git will stop checking whether modifications were made to this file. Which means, you can safely add your sensitive keys on your local repo with safety in mind that this new modified information won’t be tracked and pushed onto your public remote. If you need to make public changes to this file you can undo --assume-unchanged
by using the --no-assume-unchanged
flag
git update-index --no-assume-unchanged <your-assume-unchanged-file>
Ensure you remove your sensitive keys before making your necessary changes and then push it upstream. Once you are done with your public changes, you can repeat the process again to ensure your sensitive keys are not pushed to the remote by using --assume-unchanged
.