-1

I'm trying to use .gitignore to prevent GitHub from committing changes to a file in my project (file contains API key and secret for accessing a web service).

It's not working - my project on GitHub keeps getting the changes, even though I've confirmed the file is in the project's .gitignore file.

If I use git update-index --assume-unchanged, the file in question is removed from the repo entirely. I want the file there; I just don't want my changes to sync.

What am I missing?

.gitignore is:

## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.

# User-specific files
*.suo
*.user
*.userosscache
*.sln.docstates

#*.resw

# User-specific files (MonoDevelop/Xamarin Studio)
*.userprefs

# Build results
[Dd]ebug/
[Dd]ebugPublic/
[Rr]elease/
[Rr]eleases/
x64/
x86/
bld/
[Bb]in/
[Oo]bj/
[Ll]og/

# Visual Studio 2015 cache/options directory
.vs/
# Uncomment if you have tasks that create the project's static files in wwwroot
#wwwroot/

# MSTest test Results
[Tt]est[Rr]esult*/
[Bb]uild[Ll]og.*

# NUNIT
*.VisualState.xml
TestResult.xml

# Build Results of an ATL Project
[Dd]ebugPS/
[Rr]eleasePS/
dlldata.c

# DNX
project.lock.json
project.fragment.lock.json
artifacts/

*_i.c
*_p.c
*_i.h
*.ilk
*.meta
*.obj
*.pch
*.pdb
*.pgc
*.pgd
*.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*.log
*.vspscc
*.vssscc
.builds
*.pidb
*.svclog
*.scc

# Chutzpah Test files
_Chutzpah*

# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opendb
*.opensdf
*.sdf
*.cachefile
*.VC.db
*.VC.VC.opendb

# Visual Studio profiler
*.psess
*.vsp
*.vspx
*.sap

# TFS 2012 Local Workspace
$tf/

# Guidance Automation Toolkit
*.gpState

# ReSharper is a .NET coding add-in
_ReSharper*/
*.[Rr]e[Ss]harper
*.DotSettings.user

# JustCode is a .NET coding add-in
.JustCode

# TeamCity is a build add-in
_TeamCity*

# DotCover is a Code Coverage Tool
*.dotCover

# NCrunch
_NCrunch_*
.*crunch*.local.xml
nCrunchTemp_*

# MightyMoose
*.mm.*
AutoTest.Net/

# Web workbench (sass)
.sass-cache/

# Installshield output folder
[Ee]xpress/

# DocProject is a documentation generator add-in
DocProject/buildhelp/
DocProject/Help/*.HxT
DocProject/Help/*.HxC
DocProject/Help/*.hhc
DocProject/Help/*.hhk
DocProject/Help/*.hhp
DocProject/Help/Html2
DocProject/Help/html

# Click-Once directory
publish/

# Publish Web Output
*.[Pp]ublish.xml
*.azurePubxml
# TODO: Comment the next line if you want to checkin your web deploy settings
# but database connection strings (with potential passwords) will be unencrypted
#*.pubxml
*.publishproj

# Microsoft Azure Web App publish settings. Comment the next line if you want to
# checkin your Azure Web App publish settings, but sensitive information contained
# in these scripts will be unencrypted
PublishScripts/

# NuGet Packages
*.nupkg
# The packages folder can be ignored because of Package Restore
**/packages/*
# except build/, which is used as an MSBuild target.
!**/packages/build/
# Uncomment if necessary however generally it will be regenerated when needed
#!**/packages/repositories.config
# NuGet v3's project.json files produces more ignoreable files
*.nuget.props
*.nuget.targets

# Microsoft Azure Build Output
csx/
*.build.csdef

# Microsoft Azure Emulator
ecf/
rcf/

# Windows Store app package directories and files
AppPackages/
BundleArtifacts/
Package.StoreAssociation.xml
_pkginfo.txt

# Visual Studio cache files
# files ending in .cache can be ignored
*.[Cc]ache
# but keep track of directories ending in .cache
!*.[Cc]ache/

# Others
ClientBin/
~$*
*~
*.dbmdl
*.dbproj.schemaview
*.jfm
*.pfx
*.publishsettings
node_modules/
orleans.codegen.cs

# Since there are multiple workflows, uncomment next line to ignore bower_components
# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
#bower_components/

# RIA/Silverlight projects
Generated_Code/

# Backup & report files from converting an old project file
# to a newer Visual Studio version. Backup files are not needed,
# because we have git ;-)
_UpgradeReport_Files/
Backup*/
UpgradeLog*.XML
UpgradeLog*.htm

# SQL Server files
*.mdf
*.ldf

# Business Intelligence projects
*.rdl.data
*.bim.layout
*.bim_*.settings

# Microsoft Fakes
FakesAssemblies/

# GhostDoc plugin setting file
*.GhostDoc.xml

# Node.js Tools for Visual Studio
.ntvs_analysis.dat

# Visual Studio 6 build log
*.plg

# Visual Studio 6 workspace options file
*.opt

# Visual Studio LightSwitch build output
**/*.HTMLClient/GeneratedArtifacts
**/*.DesktopClient/GeneratedArtifacts
**/*.DesktopClient/ModelManifest.xml
**/*.Server/GeneratedArtifacts
**/*.Server/ModelManifest.xml
_Pvt_Extensions

# Paket dependency manager
.paket/paket.exe
paket-files/

# FAKE - F# Make
.fake/

# JetBrains Rider
.idea/
*.sln.iml

# CodeRush
.cr/

# Python Tools for Visual Studio (PTVS)
__pycache__/
*.pyc
Tweeter/API_Keys.resw
CXL
  • 1,094
  • 2
  • 15
  • 38

1 Answers1

5

I'm trying to use .gitignore to prevent GitHub from committing changes to a file in my project (file contains API key and secret for accessing a web service)

The .gitignore file does not do this. Git will not ignore changes to files that are in the repository. A file is always either managed by Git (all changes tracked) or ignored by Git (the file is not even present in the repo).

If you want to ignore changes to the file, you have to both remove the file from the repo with git rm and add it to .gitignore. You can make a template copy of the file and write a post-checkout hook to copy it in the right location if the destination file does not exist, if you like.

There are various ways to store secret data needed by an application:

  1. Secure the Git repo (this is a bit hard to do correctly).

  2. Store the secret data in a separate, secure Git repo.

  3. Encrypt the secret data (like with git-secret).

  4. Use a configuration manager or key store to store the secret data (like Apache ZooKeeper or HashiCorp Vault).

Dietrich Epp
  • 205,541
  • 37
  • 345
  • 415
  • I'm using option 4 (resw file instead of config manager, which isn't supported in UWP). My issue is that I want my resource file to exist in the repo with the necessary keys (but no values stored), so that anyone who forks the repo just has to add their API key and secret. I tried `git rm` after committing the resource file, and that removed it from the repo entirely. – CXL Aug 13 '18 at 20:17
  • See [this related answer](https://stackoverflow.com/a/2612663/5074609), GIT doesn't do a "include this file, but don't track any changes to it", or "stop tracking this file, but don't remove it from remote repos". For your local version, you can do a git rm --cached on the file and it will leave it there in your local copy, but it won't be included in any versions pulled after you push that change. – Matt Slonetsky Aug 13 '18 at 20:25
  • 1
    @ClairelyClaire: What you described is not option #4, so I clarified that. The bottom line is that Git will not do this for you—Git will not ignore changes to files that are in the repository. If you want to ignore the changes, you *must* remove the file. You can create a post-checkout hook that will create the file when a user clones the repo, if the file does not exist. – Dietrich Epp Aug 13 '18 at 20:28
  • I'm not entirely sure why, but I decided to try recreating the resource file in a command prompt, added it to the repo, committed, and then removed it from the repo via `git update-index --skip-worktree`...and this time it properly kept the file in the repo but ignored changes. That wasn't happening when I originally posted my question. – CXL Aug 13 '18 at 20:29