Hide api key in public repository

[guayom]

Jekyll contentful plugin is configured in the config.yml file. But if I publish the repo on a public github repository, the api key will be available for anyone to use it.

[dommmel]

Hi

you can use jekyll --config FILE1[,FILE2,...] to specify (also gitignored) config files instead of using _config.yml automatically. Settings in later files override settings in earlier files.

[tkraak]

Alternatively, use environment variables to store the Contentful API keys. This post shows an example config file for Middleman, which like Jekyll, is also written in Ruby.

[dommmel]

Yes @tkraak that would be a good option. Unfortunatelly jekyll does not parse erb tags in its _config.yml file. At least it did not last time I checked.

[guayom]

@dommel you're right about environment variables in jekyll config. It didn't work for me. I don't know if there is any hack for that.

I tried the alternate config file, but the 'jekyll contentful' command doesn't accept the - - config flag. So I'd had to move all config to the alternate and leave only contentful data in the config.yml. Then ignore the config.yml and always use the - - config flag for builds. I guess it works, but having to use an alternate config file as default seems a little inconvenient. It would be a lot nicer if you could use the alternate for contentful builds.

[tkraak]

@guayom are you still on netlify or do you rely on GitHub Pages for hosting?

[guayom]

Yes, Netlify. Actually, that solution doesn't work either because the contentful file would be ignored. So it wouldn't be available on netlify. I wouldn't be able to trigger content import before builds. As I see it, the only way is using a private repo.

[tkraak]

With Node, I'm grabbing env vars from the shell locally and then read env vars from netlify via a config file.

I feel like you need a small plugin that reads the netlify env vars. Have you asked the netlify community on gitter yet?

[guayom]

I just did. I'm not familiar with node.js but sounds like a good time to start. I'll see what Mathias Billman has to say about it.

[dommmel]

AFAICS this is not netlify specific at all. The solution using multiple config files and .gitignore-ing one of them should work. e.g.

jekyll build --config _config.yml,_secret.yml

[guayom]

I tried that. The flag works perfectly for local development. But it doesn't work for continuous deployment and for triggering builds from contentful for 2 reasons:

1. If the file containing the api key is ignored, then it won't be available in netlify or gitlab, or any other deployment method that gets the code from a git repository. So it wouldn't be possible to trigger the 'jekyll contentful' command. Thus, you wouldn't be able to deploy from contentful when you add new content.
2. Even if you only import content locally, the would not belong to the _secret.yml file. It needs to be in the config.yml. Otherwise 'jekyll contentful' won't work. Unless you could do 'jekyll contentful --config _config.yml,_secret.yml' which I tried and didn't work.

[dommmel]

1) I see the problem with gitignored files on netlify. You could try to write that file from an ENV variable such as (not tested)

MYVAR='test: "test"\ntest2: "test2"\n' # set this in netlify's admin GUI
echo $MYVAR > /tmp/myvar.yml && jekyll build --config /tmp/myvar.yml

2) there is no such command as "jekyll contentful". Are you sure you are using my plugin?

[guayom]

I'll have to try that! You're right about the command. I've been trying both your extension and the jekyll-contentful-data-import and got confused. So let's ignore point 2,my bad.