turbovault-app/.github/WHAT_TO_COMMIT.md

What to Commit to GitHub (Open Source)

Quick reference for what should and shouldn't be committed to the public GitHub repository.

✅ Safe to Commit

Source Code

• ✅ All Ruby files (app/, lib/, config/)
• ✅ Gemfile and Gemfile.lock
• ✅ Controllers, models, views
• ✅ Migrations (don't contain secrets)
• ✅ Seeds (use fake/example data only)

Configuration

• ✅ config/database.yml (uses ENV vars)
• ✅ config/routes.rb
• ✅ config/environments/*.rb
• ✅ .env.example (template only)
• ✅ Dockerfile
• ✅ docker-compose.yml (development version)

Kubernetes

• ✅ k8s/deployment.yaml (with placeholder image)
• ✅ k8s/service.yaml
• ✅ k8s/ingress.yaml
• ✅ k8s/configmap.yaml (example values)
• ✅ k8s/namespace.yaml
• ✅ k8s/migrate-job.yaml
• ✅ k8s/*.yaml.example (all templates)
• ✅ k8s/README.md
• ✅ k8s/GITEA_SETUP.md

GitHub Actions

• ✅ .github/workflows/*.yml
• ✅ .github/SECRETS_SETUP.md
• ✅ .github/WHAT_TO_COMMIT.md (this file!)

Documentation

• ✅ README.md
• ✅ LICENSE
• ✅ DEPLOYMENT.md
• ✅ API_DOCUMENTATION.md
• ✅ All other .md files

Assets

• ✅ JavaScript controllers
• ✅ CSS/Tailwind files
• ✅ Images, icons

Testing

• ✅ test/ directory
• ✅ Test fixtures
• ✅ .rubocop.yml

❌ Never Commit (Already Gitignored)

Secrets & Credentials

• ❌ .env (actual environment variables)
• ❌ k8s/secrets.yaml (actual Kubernetes secrets)
• ❌ config/master.key
• ❌ config/credentials/*.key
• ❌ Any file containing passwords, tokens, or API keys

Generated Files

• ❌ log/*.log
• ❌ tmp/**
• ❌ public/assets/** (compiled assets)
• ❌ node_modules/
• ❌ coverage/
• ❌ .byebug_history

Database

• ❌ *.sqlite3
• ❌ Database dumps
• ❌ dump.rdb

Local Environment

• ❌ .DS_Store
• ❌ .idea/ (IDE files)
• ❌ .vscode/
• ❌ *.swp, *.swo

Docker

• ❌ docker-compose.override.yml (local overrides)

🔍 Current .gitignore

Your .gitignore file already covers all sensitive files:

/.env
/.env.local
/config/master.key
k8s/secrets.yaml
k8s/sealed-secrets.yaml

These patterns prevent accidental commits of secrets.

🛡️ Double Check Before Pushing

Before pushing to GitHub, always verify:

# Check what will be committed
git status

# Review changes
git diff

# Ensure no secrets
grep -r "password\|token\|secret\|key" --include="*.rb" --include="*.yml" | grep -v ".example"

⚠️ If You Accidentally Commit a Secret

1. Immediately revoke the secret (regenerate token, change password)
2. Remove from git history:

   git filter-branch --force --index-filter \
     'git rm --cached --ignore-unmatch path/to/file' \
     --prune-empty --tag-name-filter cat -- --all
   

3. Force push: git push origin main --force
4. Rotate all credentials
5. Consider the secret compromised

Better: Use BFG Repo-Cleaner or GitHub's secret scanning.

📦 What Gets Built vs What Gets Committed

Committed to GitHub (Source)

Source Code (.rb, .js, .css)
    ↓
Configuration Templates (.example files)
    ↓
Kubernetes Manifests (with placeholders)
    ↓
Documentation (.md files)

Built by GitHub Actions (Artifacts)

Source Code
    ↓
Docker Build
    ↓
Docker Image
    ↓
Pushed to Gitea Registry (PRIVATE)
    ↓
Deployed to Kubernetes

🔄 Workflow

1. Code → Push to GitHub (public)
2. GitHub Actions → Build Docker image
3. GitHub Actions → Push to Gitea (private)
4. Kubernetes → Pull from Gitea
5. Deploy → Run your app

✨ Summary

Item	GitHub	Gitea	k8s
Source Code	✅ Public	🔄 Mirror	❌
Docker Images	❌	✅ Private	🔽 Pull
Secrets	❌	❌	✅ Encrypted
Documentation	✅ Public	🔄 Mirror	❌
k8s Manifests	✅ Templates	❌	✅ Applied

Questions?

• "Can I commit database.yml?" → ✅ Yes (if it uses ENV vars, not hardcoded passwords)
• "Can I commit Dockerfile?" → ✅ Yes (it's build instructions, not secrets)
• "Can I commit my .env?" → ❌ NO! Use .env.example
• "Can I commit k8s/secrets.yaml?" → ❌ NO! Use secrets.yaml.example
• "Should I commit migrations?" → ✅ Yes
• "Should I commit seeds.rb?" → ✅ Yes (but use fake data, not real user data)

---

Remember: When in doubt, don't commit. You can always add files later, but removing secrets from history is painful.