# What to Commit to GitHub (Open Source) Quick reference for what should and shouldn't be committed to the public GitHub repository. ## ✅ Safe to Commit ### Source Code - ✅ All Ruby files (`app/`, `lib/`, `config/`) - ✅ `Gemfile` and `Gemfile.lock` - ✅ Controllers, models, views - ✅ Migrations (don't contain secrets) - ✅ Seeds (use fake/example data only) ### Configuration - ✅ `config/database.yml` (uses ENV vars) - ✅ `config/routes.rb` - ✅ `config/environments/*.rb` - ✅ `.env.example` (template only) - ✅ `Dockerfile` - ✅ `docker-compose.yml` (development version) ### Kubernetes - ✅ `k8s/deployment.yaml` (with placeholder image) - ✅ `k8s/service.yaml` - ✅ `k8s/ingress.yaml` - ✅ `k8s/configmap.yaml` (example values) - ✅ `k8s/namespace.yaml` - ✅ `k8s/migrate-job.yaml` - ✅ `k8s/*.yaml.example` (all templates) - ✅ `k8s/README.md` - ✅ `k8s/GITEA_SETUP.md` ### GitHub Actions - ✅ `.github/workflows/*.yml` - ✅ `.github/SECRETS_SETUP.md` - ✅ `.github/WHAT_TO_COMMIT.md` (this file!) ### Documentation - ✅ `README.md` - ✅ `LICENSE` - ✅ `DEPLOYMENT.md` - ✅ `API_DOCUMENTATION.md` - ✅ All other `.md` files ### Assets - ✅ JavaScript controllers - ✅ CSS/Tailwind files - ✅ Images, icons ### Testing - ✅ `test/` directory - ✅ Test fixtures - ✅ `.rubocop.yml` ## ❌ Never Commit (Already Gitignored) ### Secrets & Credentials - ❌ `.env` (actual environment variables) - ❌ `k8s/secrets.yaml` (actual Kubernetes secrets) - ❌ `config/master.key` - ❌ `config/credentials/*.key` - ❌ Any file containing passwords, tokens, or API keys ### Generated Files - ❌ `log/*.log` - ❌ `tmp/**` - ❌ `public/assets/**` (compiled assets) - ❌ `node_modules/` - ❌ `coverage/` - ❌ `.byebug_history` ### Database - ❌ `*.sqlite3` - ❌ Database dumps - ❌ `dump.rdb` ### Local Environment - ❌ `.DS_Store` - ❌ `.idea/` (IDE files) - ❌ `.vscode/` - ❌ `*.swp`, `*.swo` ### Docker - ❌ `docker-compose.override.yml` (local overrides) ## 🔍 Current .gitignore Your `.gitignore` file already covers all sensitive files: ```gitignore /.env /.env.local /config/master.key k8s/secrets.yaml k8s/sealed-secrets.yaml ``` These patterns prevent accidental commits of secrets. ## 🛡️ Double Check Before Pushing Before pushing to GitHub, always verify: ```bash # Check what will be committed git status # Review changes git diff # Ensure no secrets grep -r "password\|token\|secret\|key" --include="*.rb" --include="*.yml" | grep -v ".example" ``` ## ⚠️ If You Accidentally Commit a Secret 1. **Immediately revoke the secret** (regenerate token, change password) 2. Remove from git history: ```bash git filter-branch --force --index-filter \ 'git rm --cached --ignore-unmatch path/to/file' \ --prune-empty --tag-name-filter cat -- --all ``` 3. Force push: `git push origin main --force` 4. Rotate all credentials 5. Consider the secret compromised Better: Use [BFG Repo-Cleaner](https://rtyley.github.io/bfg-repo-cleaner/) or GitHub's secret scanning. ## 📦 What Gets Built vs What Gets Committed ### Committed to GitHub (Source) ``` Source Code (.rb, .js, .css) ↓ Configuration Templates (.example files) ↓ Kubernetes Manifests (with placeholders) ↓ Documentation (.md files) ``` ### Built by GitHub Actions (Artifacts) ``` Source Code ↓ Docker Build ↓ Docker Image ↓ Pushed to Gitea Registry (PRIVATE) ↓ Deployed to Kubernetes ``` ## 🔄 Workflow 1. **Code** → Push to GitHub (public) 2. **GitHub Actions** → Build Docker image 3. **GitHub Actions** → Push to Gitea (private) 4. **Kubernetes** → Pull from Gitea 5. **Deploy** → Run your app ## ✨ Summary | Item | GitHub | Gitea | k8s | |------|--------|-------|-----| | Source Code | ✅ Public | 🔄 Mirror | ❌ | | Docker Images | ❌ | ✅ Private | 🔽 Pull | | Secrets | ❌ | ❌ | ✅ Encrypted | | Documentation | ✅ Public | 🔄 Mirror | ❌ | | k8s Manifests | ✅ Templates | ❌ | ✅ Applied | ## Questions? - "Can I commit database.yml?" → ✅ Yes (if it uses ENV vars, not hardcoded passwords) - "Can I commit Dockerfile?" → ✅ Yes (it's build instructions, not secrets) - "Can I commit my .env?" → ❌ NO! Use .env.example - "Can I commit k8s/secrets.yaml?" → ❌ NO! Use secrets.yaml.example - "Should I commit migrations?" → ✅ Yes - "Should I commit seeds.rb?" → ✅ Yes (but use fake data, not real user data) --- **Remember:** When in doubt, don't commit. You can always add files later, but removing secrets from history is painful.