I'm working in a team that uses a private GitHub repository for our project. I wanted to know if it's safe to push API keys in the app settings, or should I just message my colleague to get the keys instead?
5 Answers
Realistically, while some might push keys, it's a bad practice. You should never store keys on servers you don’t control, and it’s better to separate your configuration from your code.
You really want to avoid committing any keys or secrets. Look into using tools like HashiCorp's Vault for managing secrets. It’s a solid way to secure your keys.
In a perfect world, each team member would have unique API keys, but that can be tough to manage. If you have a lot of changes, that might create more issues for your workflow.
No way! GitHub offers solutions like environment variables and secrets specifically for this reason. Use those instead of hardcoding anything important.
Definitely not! You should never push API keys to any repository, even if it's private. A better option would be to use a secrets manager to handle sensitive information. This way, you keep your keys secure and avoid leaks.
Agreed! It's much safer to keep API keys out of the repo completely. Secrets managers are designed for this.
Exactly! Keeping them out of your codebase makes things easier when moving between environments.