I’m working on a project developed with Wappler (frontend + backend), and I’d like to push it to my GitHub repository.
I would appreciate your help with the following questions:
Which files/folders should I definitely exclude from the repository? (e.g., connections, config.json, etc.)
How can I securely store sensitive data like database credentials or SMTP info? (e.g., using .env or secrets management)
If I’ve already committed sensitive data by mistake, how can I remove it from my repo history?
Could you please share an example of a proper .gitignore and .env.example file for a Wappler project?
ENV files. Default .gitignore that Wappler creates, has good minimum config.
You can configure SMTP, DB and almost all other sensitive info using ENV variables - which is how you should do it as well.
There is only one caveat - DB Manager.
Wappler needs plain text connection details for the DB manager, and it stores these plaintext values in the .wappler folder - which is NOT EXCLUDED from Git by default.
If you do ignore this folder, when you clone the folder in future, you will loose Wappler related target and other settings.
@Teodor Please correct me if I am wrong about this. Maybe something has changed and I might have missed it.
Most reliable way would be to delete your repo, and create a new one with the same name or new name.
There are ways to remove things from the Git commit tree, but its complex and I haven’t tried it ever.
As mentioned above, the default that Wappler creates is good enough.
env.example should represent your ENV as is, just without the values - only keys.
You might discover Wappler has a weird ENV implementation, as environment variables are an afterthought. Even if you put the DB credentials in a .env, the Wappler editor itself needs the password in a JSON file (outside .env) for the database manager*. So, you might want to .gitignore a certain folder inside .wappler. In my experience, you'll end up trying to do the right way, and end up with a half right-way.
* my assumption, I haven't personally tested environment variables in that particular scenario
The majority of people here use GitHub as a backup solution, and secrets get pushed to the repo. This is not an industry best-practice, but it's what the majority does here.
Depending on what the data is, if it’s passwords then the easiest way is to reset all the passwords so they are no longer of any use. Then make sure they’re not including in the repo.