version control - What is best practice for keeping secrets out of a git repository?

Question

Problem

Consider this file tree as my development repository.

 - foo/
   - .git/
     - [...]
   - bar/
     - backupclient.py
   - supersecretstoragecredentials.ini

For development, supersecretstoragecredentials.ini needs to be filled in with valid credentials - while I still have to keep a clean version of it in the repository so that other users can easily set their credentials.

Possible solutions

1. .gitignore supersecretstoragecredentials.ini and create a supersecretstoragecredentials.ini-example,
   1. instruct the user to copy supersecretstoragecredentials.ini-example to supersecretstoragecredentials.ini.
2. Add an overriding config file location in backup.py which is ignored by git, e.g. supersecretstoragecredentials_local.ini.

As kan pointed out, these two solutions are similar but not entirely the same, workflow-wise.

are there any other alternatives? Does git possess some kind of functionality to assist with this kind issues?

Answer 1

Check in the supersecretstoragecredentials.ini file with some placeholder values and then

git update-index --assume-unchanged supersecretstoragecredentials.ini

Git will not track future changes to this file.

You can reset this using

git update-index --no-assume-unchanged supersecretstoragecredentials.ini