Should I use gitignore or "your-api-key-here" to hide api key on Github?

Question

I finished a project that contains an API Key and I want to upload it to Github. I want to be careful not to expose the API Key on Github.

Two methods I've discovered are

1. Using .gitignore to hide the file(s) containing sensitive information
2. Simply changing the API Key value to "YOUR-API-KEY-HERE" before uploading to Github. Like so:

ApiKey="YOUR-API-KEY-HERE"

Questions

If the file containing my API Key is 'hidden' in gitignore and I upload my project to Github, will this cause my project to not function properly by anyone who downloads it because the project can't find the 'hidden' API Key? If someone looks at my project on Github, are the 'hidden' files inaccessible to them?

In which cases should I use Gitignore or the "YOUR-API-KEY-HERE" method?

Answer 1

Typically, other individuals who download your code will need to acquire their own API key to make your project run (depending on how your project is setup). They will then add the API Key to their fork (as a secret) or local repository on their machine.

You can securely store your API key as a "Secret" in your GitHub repository by going to:

1. Settings tab at top of your repo
2. Secrets option near bottom of left-most column
3. New Repository Secret
4. Enter the variable name for your API Key in the Name field

example: SECRET_API_KEY

5. Enter your API Key value into the Value field.
6. Add Secret

Now you just need to ensure that your project references the SECRET_API_KEY variable.

Note: Other individuals will not be able to access this Secret. Only you, as repo owner, can access this key. Other developers will need to acquire their own API key and store it as a secret in their fork of your project.