Best practice for securing passwords on public repository?

[giesberge]

What would be the best practice for securing passwords on deploying from a public repository?

[tiangolo]

Probably putting the passwords in CI environment variables. Or removing the env files with passwords from git, and copying them by hand at deployment.

But if you are using a CI/CD system like GitLab, Travis, Drone, Jenkins, etc. you can probably set the passwords as environment variables of the deployment in a way that is private to the account handling the CI/CD, even if it's connected to a public repo.

[giesberge]

I did the CI environmental variables option

I placed the following into my build and deploy scripts.

echo "COUCHBASE_PASSWORD=${COUCHBASE_PASSWORD}" >> env-couchbase.env

[tiangolo]

Cool! That works.

Also, you can pass environment variables directly in Docker Compose, using environment, you don't have to use the environment files (if you don't want to).

And in the Docker Compose, the value of the environment variables, can be also read by Docker Compose itself from environment variables. That way you could pass them to your app through Docker, without ever having them written to disk.

[github-actions]

Assuming the original issue was solved, it will be automatically closed now. But feel free to add more comments or create new issues.