I’m working on a project that needs to be deployed to Heroku while also maintaining a public repository on GitHub. The issue I’m facing is with configuration files that contain sensitive information.
My application includes a database configuration file with API keys and credentials that must be deployed to Heroku but should never be visible in the public GitHub repository.
I tried creating two separate branches - keeping my main development branch for Heroku deployment and a sanitized branch for GitHub. My plan was to add the sensitive config file to the .gitignore in the GitHub branch only.
The initial setup worked perfectly. However, problems arise when I merge changes from my main branch back to the GitHub branch. The merge operation brings over the sensitive files and overwrites the .gitignore settings, defeating the whole purpose.
Is there a way to sync branches while keeping certain files permanently excluded from specific branches? Can Git be configured to ignore particular files during merge operations?
I’m wondering if I’m approaching this wrong or if there’s a better workflow for this scenario. Any suggestions would be helpful.
Using environment variables is a much better approach than managing branches with conflicting .gitignore settings. I experienced a similar issue where credentials were accidentally exposed because of merge conflicts with sensitive files. Instead of embedding sensitive configurations in your files, reference environment variables, like using process.env.DATABASE_URL. You can configure these variables directly in Heroku under Settings > Config Vars. For local development, maintain a .env file, ensuring it’s in your .gitignore, and utilize dotenv to load these variables while working locally. This method keeps your repository clean and secure, avoiding the pitfalls you are facing with branch merges.
skip the file management headache - just use heroku config vars for sensitive stuff. write a simple script that pulls from env variables and builds your config when the app starts. way simpler than dealing with encryption or templates. heroku handles the vars, your app reads them, you’re done.
the branch approach ur using will cause endless headaches. use config templates instead - create a config.example.js with dummy values and commit it to github. put your actual config.js in .gitignore. heroku can pull from private repos or u can manually deploy the real config.
Try git-crypt or similar encryption tools for your sensitive files. Had this exact problem on a client project last year and git-crypt nailed it. You encrypt specific files in your repo, so they’re safe to push to public GitHub but Heroku can still access them during deployment with proper key management. The encrypted files stay in your repo but can’t be read without the decryption key. Heroku gets the decryption key through environment variables and decrypts the files during build time. This kills the branch management nightmare you’re dealing with while keeping everything in one repo. Takes some setup initially but way easier to maintain than juggling different branches with conflicting ignore rules.
That dual branch setup is just creating headaches with merge conflicts. I hit the same wall two years back and switched to using Heroku’s build process instead - way cleaner. Here’s what works: Keep config templates in your repo that pull from environment variables. Then use Heroku’s release phase or buildpack hooks to build the actual config files during deployment. Your GitHub stays clean with just templates, and Heroku handles the real config using whatever env vars you’ve set in the dashboard. Best part? Heroku automatically injects the sensitive stuff during deployment - no more juggling branches or wrestling with merge strategies. You’re back to maintaining just one branch, and your workflow gets a lot simpler.