Skip to content

Instantly share code, notes, and snippets.

@jczaplew
Last active January 11, 2023 10:41
Show Gist options
  • Save jczaplew/8307225 to your computer and use it in GitHub Desktop.
Save jczaplew/8307225 to your computer and use it in GitHub Desktop.
Heroku + Github + Sensitive Data

Heroku + Github + Sensitive Data

Scenario: You deployed a Heroku project that contains sensitive data (password, API key, etc) but you want to share it on Github.

Problem: You need to commit all files necessary for the application to run on Heroku. However, pushing this to Github would reveal the sensitive info.

Solution: Have a production branch (for this example, master will be the production branch) and a Github branch. The latter contains a different .gitignore that ignores the sensitive files.

A. Assuming you already have a remote for Heroku, add one for Github git remote add github https://github.com/you/repo.git.

B. First, make sure you have a backup copy of the file you're going to remove. Next, the file that contains the sensitive data from your repo and commit history (via https://help.github.com/articles/remove-sensitive-data)

git filter-branch --force --index-filter \
'git rm --cached --ignore-unmatch sensitive_data.js' \
--prune-empty --tag-name-filter cat -- --all

C. At this point the file will have been deleted. Add sensitive_data.js to .gitignore.

D. Commit these changes git commit -m "Removed semsitive data and updated gitignore".

E. At this point your project is ready for Github. Create a branch for Github git branch github and push git push github github --force.

F. Now you can remove sensitive_data.js from .gitignore, make sure the file exists, and commit those changes and push to Heroku git push heroku master --force.

G. Branch master is now one commit ahead of branch github. If we were to merge or rebase this commit into branch github it would become infected with the data we just removed! But what if you want to otherwise keep the two branches in sync, i.e. you add some text to a page on branch master, commit the changes, and now you want that commit to show up on Github. To do this, run git log, copy the SHA value, then

   git checkout github
   git cherry-pick *commitID*
   git push github github

You'll notice that when you switch between branches everything should be identical, except for the presence of the one file that contains the sensitive data and the corresponding line in .gitignore.

A very hack-tastic "solution"!

@nranjan54
Copy link

I was searching a lot for this kind of solution. Previously I worked around using envt_variables in heroku.
Thanks.

@RushOnline
Copy link

heroku config:add DB_USER=archer DB_PASS=onion

Then use environment variables in your running app.

@tuantrantg
Copy link

tuantrantg commented Dec 10, 2016

@RushOnline

Then use environment variables in your running app.

I need file .p12 to authorize my access right, if we use env variable of heroku, how can we do it with file .p12?

@steven4354
Copy link

Thanks for the post - super helpful information

@Vinetos
Copy link

Vinetos commented Apr 20, 2018

It's a very bad idea with the code history !

@maxijonson
Copy link

maxijonson commented Mar 16, 2019

I made a git post-commit hook script available here that automates this process. Just drop it in your .git/hooks folder of your repo

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment