This post tries to describe how to take a private Django project so that you release it open source on Github without giving away your secret key, your database passwords, or other sensitive information. Different people do their Django configuration different ways for some reason, so if you want to do it differently, that’s fine.
The situation I had was as follows: I made a new Django project and hosted it
as a private repo on Github. I wanted to share the code, but my
file had the secret key Django autogenerates when you make the project, along
with other sensitive information: public and private keys issued by Twitter as
the app used Twitter OAuth for authentication, and the production database
There are at least two issues here:
- How you want to handle database passwords in your Django application when the repo will be public
- How to remove Git commit history where sensitive information was committed to
Making a place for secrets to live in
The thing about Django’s default settings file is that it mixes non-sensitive configuration information with sensitive passwords and keys. Why? Why? Whatever. The approach I took was the following:
- Segregate the sensitive information in
settings.pyinto a new file,
- Import the secret information from
1 2 3
settings_secret.pyinto a new file,
settings_secret.py.templatewith values filled to dummy ones so that people who use your code can fill them in as needed.
Depending on your deployment setup, you can then take the next logical steps to
settings_secret.py on your production setup.
There are other ways of doing this. They are fine. If it works, fine. But at this point we have a
settings.py free of secret information.
Now we need to clear our Git commit history of sensitive information.
Rewriting Git history
- Make a backup copy of your newly scrubbed
settings.pyoutside the repo. You might want to make a backup copy of the entire repo if you are bad at Git the way I am.
- Follow Github’s steps for removing sensitive data with your
settings.pyfile as the file of interest. This will remove every mention of
settings.pyfrom your commit history.
- Copy your clean
settings.pyfile into your repo.
At this point you should have a repo that can be released as open source without revealing any sensitive information.
Again, you might have a better way of doing this, but this wasn’t obvious to me, so I figured I’d jot down what I did as most answers on StackOverflow ignore the issue of how to deal with sensitive information in Git repo histories.
Patrick Thomson and Github helped me figure this out. Many thanks to both of them because holy cow is this stuff confusing.
Warren Henning (@fearofcode)