How to handle secret key in an open source project

[louis993546]

I will probably want to use Firebase (esp. Crashlytics) at some point, and I need to find a way to have google-services.json available for CI (#10), but not exposing it publicly.

Possible solutions

• Maintain a fork in private that contains all the secrets
• Use sacrificial secrets

[louis993546]

X-post #10

• This doc from CircleCI explains how to build OSS while keeping all the secrets secret
• This one explains CircleCI's implementation of environmental variable.
• This one talks about environmental variable in GitLab CI

[louis993546]

From more practical perspective: This short Q&A clarifies why in different google projects, some has google-services.json included, some don't. It mostly comes down to the intention: if you don't really expect someone else to host their own version, and you are (probably) the only one that actually builds and deliver the app, it probably isn't necessary to hide it.

And this thing goes super deep into how the json is being used by the google service gradle plugin

Last but not least, obviously this question have been asked before on stack overflow