[3:37]
it stores secrets (environment variables, exported by the entrypoint script) encrypted so we can commit them and also so we can avoid duplicating them in the stack file for every service
[3:38]
we tried an alternative which uses git attributes to transparently encrypt/decrypt on checkout which worked amazingly well and let us see diffs etc., but some git clients dont support git attributes and if someone accidentally commits in one of those clients, we could easily accidentally commit the unencrypted version of the file... git-secret stores encrypted version in a *.secret` file and the non-encrypted version has the suffix removed and is ignored by git, making such an accident less likely
[3:41]
to use, you should put the correct passphrase in GPG_PASSPHRASE in .env.local and it should decrypt automatically when you run entrypoint.sh via go.sh or docker... then use git secret add ... to start tracking a new file, git secret hide to re-encrypt all files, and git secret reveal to decrypt all the tracked files... in a new project, the first time setup-git-secret.sh runs it will auto generate a random passphrase and print it and stage the relevant files to be committed... we should put that in 1password for each project
gregturner [3:34 PM] What is the deal with .secret files? Is it documented somewhere? (edited)
tailee [3:36 PM] https://github.com/ic-labs/django-icekit/blob/913a8eab2efa4227c30afec94ee2f66e2dc8dbbd/icekit/bin/help.sh#L67-L80 GitHub ic-labs/django-icekit django-icekit - A modular content CMS by Interaction Consortium.
[3:37] it stores secrets (environment variables, exported by the entrypoint script) encrypted so we can commit them and also so we can avoid duplicating them in the stack file for every service
[3:38] we tried an alternative which uses git attributes to transparently encrypt/decrypt on checkout which worked amazingly well and let us see diffs etc., but some git clients dont support git attributes and if someone accidentally commits in one of those clients, we could easily accidentally commit the unencrypted version of the file... git-secret stores encrypted version in a *.secret` file and the non-encrypted version has the suffix removed and is ignored by git, making such an accident less likely
[3:41] to use, you should put the correct passphrase in GPG_PASSPHRASE in
.env.localand it should decrypt automatically when you run entrypoint.sh via go.sh or docker... then usegit secret add ...to start tracking a new file,git secret hideto re-encrypt all files, andgit secret revealto decrypt all the tracked files... in a new project, the first timesetup-git-secret.shruns it will auto generate a random passphrase and print it and stage the relevant files to be committed... we should put that in 1password for each project