OGG… How do I manage config and secret information in Git?

Objective

Prevent accidental commits and secure management of configuration files and secret credentials (e.g., API keys, tokens, passwords) in Git projects.

Goal

Ensure sensitive information is excluded from version control while still allowing safe configuration in development and production environments.

Guidline

1. Use .gitignore to exclude sensitive files

   Add entries like config.yml, .env, or secrets.json to .gitignore.

2. Store templates of sensitive files

   Include config.sample.yml or .env.example in the repo to show required structure. It would be nice to add a document about how to use the template.

3. Use environment variables in your code

   Instead of hardcoding sensitive values like API keys in your source code, load them from environment variables at runtime.

   import yaml
   
   with open("../config/config.yml", "r") as file:
       config = yaml.safe_load(file)

4. Audit and remove accidental commits:

   If you accidentally committed a secret (like an API key), even after deleting the file or rotating the key, it might still exist in Git history and be accessible to others. You need to remove recrets from history Use a tool like BFG Repo-Cleaner.

Example in my project

manageing secrets in development

1. Add config/ to .gitignore

   # .gitignore
   config/

2. Add a template file: config/config_template.yml

   Create a safe, non-sensitive example config file that shows the expected structure of real credentials:

   # config/config_template.yml
   api_config:
     api_url: "https://hogehoge"
     api_key_id: "hogehoge"
     api_secret: "hogehoge"

   Then commit it manually with -f (force), since it lives inside an ignored folder:

   git add -f config/config_template.yml
   git commit -m "ENV: Add config template for API config"

3. Document how to create a real config.yml from the template

   Provide a short note (e.g. in your README) explaining how to set up the actual config file:

   cp config/config_template.yml config/config.yml

   Then edit config.yml manually and replace each placeholder value with your actual secrets:

   api_config:
     api_url: "https://your.api.endpoint"
     api_key_id: "your_api_key_id"
     api_secret: "your_secret_token"

4. Create passwords.txt under config/ for use with BFG Repo-Cleaner

   If you accidentally commit secrets, prepare a list of them to clean from your Git history.

   your_api_key_here==>REMOVED
   secret_token_123==>REMOVED

   Each line follows the format:

   original_string==>replacement_string

If you accidentally commit secrets

Here’s how to use BFG to remove sensitive values from Git history:

bfg --replace-text .bfg/passwords.txt
git reflog expire --expire=now --all
git gc --prune=now --aggressive
git push -f

command	explanation
bfg --replace-text ...	replaces secrets in your repo history
git reflog expire	drops internal backup references
git gc	garbage collects dangling commits
git push -f	force-pushes the cleaned history (⚠️ coordinate with team!)

Appendix: How to install BFG Repo-Cleaner

AS of 2025-06-03, v1.15.0 is the lastest.

1. Download the BFG JAR File

   Use wget to download the JAR (Java ARchive) file of BFG version 1.15.0 from Maven Central (an official Java package repository).

   % cd <your-target-directory>
   % wget https://repo1.maven.org/maven2/com/madgag/bfg/1.15.0/bfg-1.15.0.jar

   After download, you’ll see this file:

   % ls
   bfg-1.15.0.jar

2. (Optional) Move the JAR to a Tool Directory and Create a Shell Alias

   If you’re using Zsh (common on macOS and many Linux setups), add the alias to .zshrc:

   % echo "alias bfg='java -jar <your-target-directory>/bfg-1.15.0.jar'" >> ~/.zshrc
   % source ~/.zshrc

   If you’re using Bash, modify .bashrc instead:

   % echo "alias bfg='java -jar ~/.tool.d/bfg-1.15.0.jar'" >> ~/.bashrc
   % source ~/.bashrc

   Then, check if your setting works properly

   % bfg --help

References

• BFG Repo-Cleaner