The following files are already in .gitignore and should NEVER be committed:
.env.env.local.env*.local- Any file containing Supabase credentials (URL, anon key, service role key)
Your Supabase credentials should ONLY be stored in:
/web/.env.local(for local development)- Your deployment platform's environment variables (Vercel, Netlify, etc.)
Never share:
SUPABASE_SERVICE_ROLE_KEY- This has admin access to your database- Database connection strings with passwords
- API keys or secrets
✅ Safe to commit:
schema.sql- Database structure (no credentials)*.sqlmigration files - Structure changes only- Client-side code in
/web/src - Public documentation
❌ Never commit:
.envfiles with credentials- Supabase dashboard URLs with tokens
- Service role keys
- Database passwords
Contributors DO NOT need:
- Supabase access
- Database credentials
- Admin privileges
Contributors ONLY need:
- GitHub account to submit PRs
- Access to fork the public repository
- Ability to build and test games locally (without database if needed)
Maintainers handle:
- Database management
- Game registration in Supabase
- Deployment and production environment
- Reviewing and merging PRs
The database uses RLS policies to ensure:
- Users can only update their own profiles
- Users can only submit scores for themselves
- Public data is readable by everyone
- Sensitive operations require authentication
- Contributor creates game component and submits PR
- Maintainer reviews code for security issues
- Maintainer registers game in Supabase
- Maintainer deploys and enables game on platform
This keeps database access restricted to trusted maintainers while allowing open collaboration.
Before deploying:
- Verify no
.envfiles are in git history - Check all environment variables are set in deployment platform
- Ensure RLS policies are enabled on all tables
- Review new code for SQL injection vulnerabilities
- Test authentication flows
- Verify API keys are stored securely