aboutsummaryrefslogtreecommitdiff
path: root/README
blob: f50f0b21b72e561eb48cd3eaf0c28edaf347fb9a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
Bootstrap secrets management in a project.

Problem: Secrets (e.g., passowrds, API keys) get accidentaly commited and are
leaked when a repository becomes public.

Solution:

secrets.sh.example  defines variable names
secrets.sh          defines secret values
run.sh              sources secrets
.gitignore          exclude secrets.sh

Rationale
=========

People are lazy.  The less steps the better.  So, `run.sh` should create
`secrets.sh` out of `secrets.sh.example`, and nd tell the user to modify it.

This flow is simple and portable.  No unreliable dependencies like:

https://pypi.org/project/python-dotenv/  for the people that cannot use os.environ
https://www.npmjs.com/package/dotenv

People often use these tools because they don't know shell scripting.  Here's a
quick reminder

```sh
foo=somevalue
./run           # does not receive foo
foo=anothervalue ./run    # passes foo only for ./run
export foo      # mark variable for automatic export
export -n foo   # remove export mark
unset foo       # delete variable, alongside any marks

set | grep foo    # check local variables
env | grep foo    # check variables marked for automatic export to the environment of subsequently executed commands


# shell built-ins
help export
help unset

# external programs
man env

# Shell built-ins take precedence over any external program with the same name.
```