Topic: Best practices for open sourcing your rails app and using git

I want to:

* Use git as my version control
* Work in development branches and merge them into master
* Frequently push changes to a public, open source git repository (eg Github)
* Be able to deploy to Heroku

The problem:

By default, any secrets (eg "config/initializers/secret_token.rb") are present in my repository. Simply including them in .gitignore makes deploying to Heroku difficult, as Heroku needs to compile their slug from a branch of my git repository (and those secret files need to be present).

Looking at this link (http://groups.google.com/group/heroku/b … 9204c70574), the solution is to include secret files in the .gitignore of the Master branch, and then create a Deploy branch that does not ignore secret files. You work in Master, and then when you're ready to deploy, you do the following:

git checkout deploy
git merge master
git push heroku deploy:master

This seems like an ok solution, but breaks when you want to work on a local server. Because your Master or Development/Topic branches do not include and secret files, running:

rails server

Will produce the following error:

A secret is required to generate an integrity hash for cookie session data. Use config.secret_token = "some secret phrase of at least 30 characters"in config/application.rb

I can't just checkout the Deploy branch, because then I won't be able to edit code while the server is running.

So my solution for now is to have a Master branch that contains everything (plus other development branches) and then a Public branch created like so:

git checkout -b public
git rm some_secret_file
git filter-branch --index-filter 'git update-index --remove some_secret_file' public
echo "some_secret_file" >> .gitignore
git add .gitignore
git commit -m "remove secret files"
git remote add origin git@git.......
git push origin public

Then when hacking away:

git checkout master
do something nifty
git add something
git commit -m "add something nifty"
git checkout public
git merge master
git push origin publich

I think this basically solves the problem, but I'm concerned that if I ever modify .gitignore in master and then merge it into public that the secret files will some sneak on to Github.

This scenario seems common, but I have yet to find any information on it. Does this setup seem reasonable? Has anyone found a better way to do this?

Thanks much!

Last edited by th.edore (2010-07-11 17:24:19)

Re: Best practices for open sourcing your rails app and using git

I've handled secrets on Heroku using Heroku's config variables.  This requires tweaking the Rails configuration code to read an environment variable, and then setting the environment variable in production and development.

In the rails configuration:

config.secret_token = ENV['MYAPP_SECRET_TOKEN']

You could improve that by, for example, raising an exception if the environment variable is empty.

Then, to configure your Heroku app, run the heroku config command:

$ heroku config:set MYAPP_SECRET_TOKEN=some-random-secret

In a development environment, simply set the environment variable in your shell:

$ export MYAPP_SECRET_TOKEN=some-random-secret

If you have many variables, you might wish to save the export command(s) in a file that is gitignored and source it:

$ source secret_variables.sh

Since the secrets are never checked in anywhere, you eliminate the risk of accidentally merging them into the wrong branch.

Last edited by marcelcary (2013-01-03 13:44:44)