Git – How does one handle sensitive data when using Github and Heroku

gitgithubheroku

I am not yet accustomed with the way Git works (And wonder if someone besides Linus is ;)).

If you use Heroku to host you application, you need to have your code checked in a Git repo. If you work on an open-source project, you are more likely going to share this repo on Github or other Git hosts.

Some things should not be checked in the public repo; database passwords, API keys, certificates, etc…
But these things still need to be part of the Git repo since you use it to push your code to Heroku.

How to work with this use case?

Note: I know that Heroku or PHPFog can use server variables to circumvent this problem. My question is more about how to "hide" parts of the code.

Best Answer

The preferred method of keeping passwords/api keys secret on heroku is to set config values via the heroku commandline application. The following example taken from a heroku dev center article

(The below example, and my entire answer relate to rails apps)

$ cd myapp
$ heroku config:add S3_KEY=8N029N81 S3_SECRET=9s83109d3+583493190
Adding config vars and restarting myapp... done, v14
S3_KEY:     8N029N81
S3_SECRET:  9s83109d3+583493190

Then reference these config values in your code using the ENV[] variable

AWS::S3::Base.establish_connection!(
  :access_key_id     => ENV['S3_KEY'],
  :secret_access_key => ENV['S3_SECRET']
)

This way your sensitive passwords are not stored in the git repository. (Note: When running the app locally, set these values in your .bashrc file

Also, I'm not sure what type of application you are running, but in Rails, heroku does not use your database.yml file, it simply sets your database username/password according to your app settings. So you can avoid saving those credentials in git

Also, also, if you are running your own application and want it to remain private, a great alternative to github is bitbucket which offer free private repositories.

Related Topic