Scenario: You deployed a Heroku project that contains sensitive data (password, API key, etc) but you want to share it on Github.
Problem: You need to commit all files necessary for the application to run on Heroku. However, pushing this to Github would reveal the sensitive info.
Solution: Have a production branch (for this example, master will be the production branch) and a Github branch. The latter contains a different .gitignore that ignores the sensitive files.
A. Assuming you already have a remote for Heroku, add one for Github git remote add github https://github.com/you/repo.git
.
B. First, make sure you have a backup copy of the file you're going to remove. Next, the file that contains the sensitive data from your repo and commit history (via https://help.github.com/articles/remove-sensitive-data)
git filter-branch --force --index-filter \
'git rm --cached --ignore-unmatch sensitive_data.js' \
--prune-empty --tag-name-filter cat -- --all
C. At this point the file will have been deleted. Add sensitive_data.js
to .gitignore
.
D. Commit these changes git commit -m "Removed semsitive data and updated gitignore"
.
E. At this point your project is ready for Github. Create a branch for Github git branch github
and push git push github github --force
.
F. Now you can remove sensitive_data.js
from .gitignore
, make sure the file exists, and commit those changes and push to Heroku git push heroku master --force
.
G. Branch master
is now one commit ahead of branch github
. If we were to merge or rebase this commit into branch github
it would become infected with the data we just removed! But what if you want to otherwise keep the two branches in sync, i.e. you add some text to a page on branch master
, commit the changes, and now you want that commit to show up on Github. To do this, run git log
, copy the SHA value, then
git checkout github
git cherry-pick *commitID*
git push github github
You'll notice that when you switch between branches everything should be identical, except for the presence of the one file that contains the sensitive data and the corresponding line in .gitignore
.
A very hack-tastic "solution"!