Good Code
The good version ignores local secret files and removes an already-tracked secret from the index before committing.
Lesson 09
.gitignore and secret safety
Keep generated files and secrets out of version control, and remove tracked secrets from the index immediately.
- gitignore
- secrets
- security
Good Code
secret-safety.sh# Prevent local secrets and generated output from being staged.
printf ".env\n.env.local\ndist/\nnode_modules/\n" >> .gitignore
git rm --cached .env
git status --short
git add .gitignore
git commit -m "ignore local secrets and build output"Bad Code
secret-safety.sh# Adding everything can publish secrets or local machine state.
git add .
git commit -m "add config"
git pushReview Notes
What to review
Bad Code
The bad version stages every file, which can include credentials, generated artifacts, editor files, or local environment settings.
Takeaways
- A repository should make accidental secret and build artifact commits hard to create and easy to catch.