What is best practice for keeping secrets out of a git repository?

Question

Problem

Consider this file tree as my development repository.

 - foo/
   - .git/
     - [...]
   - bar/
     - backupclient.py
   - supersecretstoragecredentials.ini

For development, supersecretstoragecredentials.ini needs to be filled in with valid credentials - while I still have to keep a clean version of it in the repository so that other users can easily set their credentials.

Possible solutions

1. .gitignore supersecretstoragecredentials.ini and create a supersecretstoragecredentials.ini-example,
   1. instruct the user to copy supersecretstoragecredentials.ini-example to supersecretstoragecredentials.ini.
2. Add an overriding config file location in backup.py which is ignored by git, e.g. supersecretstoragecredentials_local.ini.

As kan pointed out, these two solutions are similar but not entirely the same, workflow-wise.

are there any other alternatives? Does git possess some kind of functionality to assist with this kind issues?

Answer 1

Check in the supersecretstoragecredentials.ini file with some placeholder values and then

git update-index --assume-unchanged supersecretstoragecredentials.ini

Git will not track future changes to this file.

You can reset this using

git update-index --no-assume-unchanged supersecretstoragecredentials.ini

Answer 2

What you are describing in Option 1 is basically covered by the smudge step of a content filter driver.

You have the two options presented in the "How to work on a drop-in library?" question.

the smudge script would take your supersecretstoragecredentials.ini-example (versioned), copy it as a supersecretstoragecredentials.ini (not versioned, ignored by Git), and fill its values from another source.

But beside the technical aspect of how you will implement your policy, the main measure is to make sure your secret values aren't store in a Git repo at all, but are comming from another referential.