I have created a new flutter mobile app project which I'd like to open souce on GitHub, but there's some sensitive information that I shall not make available publicly because although the code itself will be open, I still need to be the one responsible for publishing the app oficial version.
The code being public will of course allow people to contribute on the development, but I don't want to run the risk of allowing anyone to sign their unofficial versions of the app with my key and sending it to the stores as if it was me publishing the app. Also, I want to use an error reporting service to track the app bugs, but I don't want to make the access token visible on the source code of the app, or else anyone could just copy this access token and start sending errors which would be reported as being sent from my oficial app.
What would be the best approach to solve this problem?
I think it could work to keep the sensitive information stored in a side private repository, and then setup a build process to look for the files in the private repository (which just I would have access to). If the private repository is not available on the current building machine, then the code would be built using some placeholder text which would then prevent people from authenticating to this service with my access token. The contributing developer would then be responsible to provide his/her own access token or to comment out the code, whatever works best for him/her while working with the app source code.
The above is still just a thought and I don't know if it would be be best way to do this, but I surely need some way to open source my code while still being in full control of releasing the oficial versions of the app.
Does someone have experience or ideas with this to help me out?
The easiest way to do to this is to use some sort of configuration file or environment variable during the build process for publication, defaulting to some example values. Ideally the app will still work without reporting errors if no token is specified; that's the usual approach for development.
If you use a CI system, you can store those credentials in your CI system's secret store and use them for building and signing when you're doing a production release.