git 如何将代码推送到 Github 隐藏 API 密钥?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/44342276/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to push code to Github hiding the API keys?
提问by Sreeram TP
I want to push some codes to my GitHub Repository. These codes are in different languages like Javascript, Java, Pythonetc. Some of those codes contain some private APIkey that I don't want to publish.
我想将一些代码推送到我的 GitHub 存储库。这些代码是在像不同的语言Javascript,Java,Python等某些代码包含一些私有API密钥,我不希望发布。
Is there any way to hide the keys automatically.? Should I remove it from my code manually.?
有没有办法自动隐藏密钥。?我应该手动从我的代码中删除它吗?
There are many projects that I want to push to GitHub. So, manual removal is not a good option.
有很多项目我想推送到 GitHub。因此,手动删除不是一个好的选择。
采纳答案by Przemys?aw Zalewski
You should consider using .envfiles and read the keys from the environmental variables. How to do so depends on the language and tools you use (for node.js, php, etc.).
您应该考虑使用.env文件并从环境变量中读取密钥。如何执行取决于您使用的语言和工具(对于node.js、php等)。
You can exclude .envfile from commits by adding .envto the .gitignore. You can also upload an example configuration .env.examplewith dummy data or blanks to show the schema your application requires.
您可以.env通过添加.env到.gitignore. 您还可以上传.env.example带有虚拟数据或空白的示例配置,以显示您的应用程序所需的架构。
回答by sensorario
Any time you have files with sensitive data like
任何时候您有包含敏感数据的文件,例如
config.yml
you MUST NOT commit them to your repository. I'll show you an example.
您不得将它们提交到您的存储库。我给你看一个例子。
Suppose you have a yaml file with some username and password:
假设您有一个包含用户名和密码的 yaml 文件:
# app/config/credentials.yml
credentials:
username: foo
password: bar
If you want to hide the fooand the barvalues, remove this file from your repository, but add a distributionfile that aims to maintain username and password fields, but without any real values:
如果您想隐藏foo和bar值,请从您的存储库中删除此文件,但添加一个distribution旨在维护用户名和密码字段的文件,但没有任何实际值:
# app/config/credentials.yml.dist
credentials:
username: ~
password: ~
During installation you can get this file by copying app/config/credentials.yml.distto app/config/credentials.yml.
在安装过程中,您可以通过复制app/config/credentials.yml.dist到app/config/credentials.yml.
Also, remember to add app/config/credentials.ymlto your .gitignorefile.
另外,请记住添加app/config/credentials.yml到您的.gitignore文件中。
Its the same with api keys:
它与 api 密钥相同:
# app/config/config.yml
config:
credentials:
username: foo
password: bar
api_stuffs:
api_foo: fooooo
api_secret: baaaaar
api_token: tooooken
This works well for configuration files, and is a good pattern that saves you every time you need to share the structure of a configuration but not sensitive data. Init files, configurations and so on.
这适用于配置文件,并且是一种很好的模式,可以在您每次需要共享配置结构但不共享敏感数据时节省您的时间。初始化文件、配置等。
回答by Mureinik
Having your API key in the code is probably a bad idea anyway. It means that anyone else that wants to use your code will have to edit the code and rebuild it.
无论如何,在代码中包含您的 API 密钥可能是一个坏主意。这意味着想要使用您的代码的任何其他人都必须编辑代码并重建它。
The textbook solution for such usecases is to move the credentials to some configuration file, and add clear documentation in the README.mdfile about how the configuration file's structure and location. You could also add an entry for it in your gitignorefile to prevent yourself (and anyone else) from pushing your private information to GitHub by mistake.
此类用例的教科书式解决方案是将凭据移动到某个配置文件,并在文件中添加README.md有关配置文件的结构和位置的清晰文档。您还可以在您的gitignore文件中为其添加一个条目,以防止您(和其他任何人)错误地将您的私人信息推送到 GitHub。
回答by Gautam Krishna R
You can add enviornment variablesin your server to hide your API keys. All popular programming languages have default methods to acess the enviornment variables.
您可以在服务器中添加环境变量以隐藏 API 密钥。所有流行的编程语言都有访问环境变量的默认方法。
