Introduction to Keeping Confidential Information Safe on GitHub: GitHub secrets and .env files
About to share your Jupyter Notebook/ Python script on GitHub? Hold up before you press that button!
If your script does not contain confidential information such as keys, tokens, your username, etc., go ahead and share your awesome work! However, if you do indeed have confidential information in your script, there are a few extra steps you should take to keep your information safe.
The 2 main methods I will share below are 1) GitHub Secrets and 2) using .env files.
Note: There may be other ways to do the same thing. These are just what I used when completing my Hack for LA project. Feel free to do your own research online!
How GitHub Secrets works is similar to adding a value to a variable. Once you assign a value to a variable using GitHub Secrets, no one will be able to see what the value of the variable is, even if they have access to the repository. From there, you can refer to the variable in your Python script to use the value you assigned. See below to get a better idea of how it works and how to set it up.
If the repository you are uploading your files to is not created by you, you may have to get additional permissions to access and edit settings.
- Ensure that the menu option "Settings" is available to you when you are in the repository:
- Click "Settings" and scroll down until you see the option "Secrets and variables" under "Security" in the left menu:
- Click the dropdown option for "Secrets and variables" and click "Actions"
- Click the green button "New repository secret" to add a variable (Name) and value (Secret):
- Voila! Your newly created variable should now appear under "Repository Secrets"
-
Import os library with
import osin Python script. -
Create a variable, referencing your GitHub Secret variable as the value. For example, if my GitHub Secret variable name is
API_KEY_GITHUB_PROJECTBOARD_DASHBOARDand the variable I want to use to refer the value contained within the secret variable is namedGitHub_token, below is how I would create myGitHub_tokenvariable:
GitHub_token = os.environ["API_KEY_GITHUB_PROJECTBOARD_DASHBOARD"]
In this case, I can now use my confidential API key without worrying about anyone finding out by using the 'GitHub_token' variable throughout my Python script where appropriate.
Sometimes, the confidential information that you want to add to GitHub Secrets may not just be a simple string or number. In my case, it was in a semi-structured format - JSON. To add the JSON key to GitHub Secrets, I had to first encode it into a string. This is how I went about it using the base64 library:
-
Import
jsonandbase64libraries using:import jsonimport base64 -
Open the JSON file using
variable_name = open('nameoffile.json') -
Access the content of the JSON file using
content = json.load(variable_name) -
At this point, the value stored in the
contentvariable is in the form of a dictionary. -
Convert the dictionary into a string using
string = json.dumps(content) -
From here, execute the following to obtain your base64 encoded key:
string_bytes = string.encode('ascii')
base64_bytes = base64.b64encode(string_bytes)
base64_key_string = base64_bytes.decode('ascii')
- Now you can output the value in
base64_key_stringand put it into GitHub Secrets.
If you need to reverse the base64 encoding to get the original content in the JSON file, you can do the following:
base64_bytes = base64_key_string.encode('ascii')
string_bytes = base64.b64decode(base64_bytes)
string = string_bytes.decode('ascii')
json_content = json.loads(string)