I have an AppEngine Classic application written in Go, and as part of this, I have a number of keys which I would like to not have in the code repo.
I would like to have default keys in the repo for testing purposes, but keep the production keys secret. I know I can specify which files not to upload to the repo with my .gitignore file. However, I'm not sure what the best way to do this is so that other developers can build and tests the code without access to the file file.
What is the most practical way to keep keys out of the repo, while still having the code compile and test when the file with the keys is not present?
Since you want default (test) keys in the repo so others can test your code, but you want to keep your private keys secret (out of the repo), I'd go with the solution to have 2 separate folders, one for the test keys, one for the private keys.
Obviously the private keys folder could go to .gitignore (and so will be kept out of repo), and you can decide the keys folder at runtime by a logic.
The easiest logic would be to look for the private keys folder first (which will only exist in your computer), and if it doesn't exist, proceed with the test keys folder.
You can spice up this logic e.g. with allowing with a cmd flag or env variable to bypass the private keys folder even if it exists. It would also be reasonable to only look for the private keys folder in production environment.
But beware of / be aware that production code can be downloaded e.g. with the following command:
appcfg.py download_app -A <your_app_id> -V <your_app_version> <output-dir>
Only the developer who uploaded the code and the application owner(s) can download it.
See more info about this here: Downloading Your Source Code