How save or safately avoid the key of Social Networks like Facebook or LinkedIn in GitHub

Question

Some tutorials recommend don´t save a key in GitHub for security reasons, they to keep the file in .gitignore but for example some Social Networks like Facebook or Linkedin create a key in Info.plist file.

The Info.plist contains many others settings of the app and must be commit.

How can I keep in safe my key and commit the Info.plist normally.

Example of Info.plist (CFBundleURLSchemes and FacebookAppID)

<key>CFBundleURLTypes</key>
    <array>
        <dict>
            <key>CFBundleURLSchemes</key>
            <array>
                <string>fb355414950742780</string>
            </array>
        </dict>
    </array>
<key>FacebookAppID</key>
<string>355414950742780</string>

Answer 1

It is too risky to try and never push the Info.plist file.
It is safer to not version it (git rm --cached <File>, and added to the .gitignore)

Then you can use a content filter driver, using using .gitattributes declaration:

Register a smudge script, which will generate the file with sensitive information on git checkout.

^{(image from "Customizing Git - Git Attributes", from "Pro Git book")}

That 'smudge' script( that you have to write) would need to:

• fetch the key (from a source outside the repo, that way no risk to add and push by mistake)
• generate the Info.plist file, using a tracked template Info.plist.tpl with placeholder value in it to replace.

That means:

• the template Info.plist.tpl is added to the git repo
• the generate file Info.plist is declared in the .gitignore file and never versioned (and never pushed).