Skip to content

Instantly share code, notes, and snippets.

@jczaplew
Last active January 11, 2023 10:41
Show Gist options
  • Save jczaplew/8307225 to your computer and use it in GitHub Desktop.
Save jczaplew/8307225 to your computer and use it in GitHub Desktop.
Heroku + Github + Sensitive Data

Heroku + Github + Sensitive Data

Scenario: You deployed a Heroku project that contains sensitive data (password, API key, etc) but you want to share it on Github.

Problem: You need to commit all files necessary for the application to run on Heroku. However, pushing this to Github would reveal the sensitive info.

Solution: Have a production branch (for this example, master will be the production branch) and a Github branch. The latter contains a different .gitignore that ignores the sensitive files.

A. Assuming you already have a remote for Heroku, add one for Github git remote add github https://github.com/you/repo.git.

B. First, make sure you have a backup copy of the file you're going to remove. Next, the file that contains the sensitive data from your repo and commit history (via https://help.github.com/articles/remove-sensitive-data)

git filter-branch --force --index-filter \
'git rm --cached --ignore-unmatch sensitive_data.js' \
--prune-empty --tag-name-filter cat -- --all

C. At this point the file will have been deleted. Add sensitive_data.js to .gitignore.

D. Commit these changes git commit -m "Removed semsitive data and updated gitignore".

E. At this point your project is ready for Github. Create a branch for Github git branch github and push git push github github --force.

F. Now you can remove sensitive_data.js from .gitignore, make sure the file exists, and commit those changes and push to Heroku git push heroku master --force.

G. Branch master is now one commit ahead of branch github. If we were to merge or rebase this commit into branch github it would become infected with the data we just removed! But what if you want to otherwise keep the two branches in sync, i.e. you add some text to a page on branch master, commit the changes, and now you want that commit to show up on Github. To do this, run git log, copy the SHA value, then

   git checkout github
   git cherry-pick *commitID*
   git push github github

You'll notice that when you switch between branches everything should be identical, except for the presence of the one file that contains the sensitive data and the corresponding line in .gitignore.

A very hack-tastic "solution"!

@maxijonson
Copy link

maxijonson commented Mar 16, 2019

I made a git post-commit hook script available here that automates this process. Just drop it in your .git/hooks folder of your repo

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment