This repository uses git-crypt to encrypt sensitive files before committing them to the repository.
-
Install git-crypt:
# macOS brew install git-crypt # Ubuntu/Debian sudo apt-get install git-crypt # Windows (via chocolatey) choco install git-crypt
-
Initialize git-crypt (one time setup):
git-crypt init git-crypt add-gpg-user YOUR_GPG_KEY_ID
-
Create your environment file:
cp .env.example .env # Edit .env with your actual values -
Verify encryption:
git add .env git-crypt status # Should show: .env: encrypted
The following files are automatically encrypted when committed:
.env- Main environment variables.env.local- Local overrides.env.production- Production environment.env.staging- Staging environmentsecrets/**- Any files in the secrets directory
| Variable | Purpose | Where to Get |
|---|---|---|
NPM_TOKEN |
Publishing to npm registry | npmjs.com/settings/tokens |
GITHUB_TOKEN |
Creating GitHub releases | github.com/settings/tokens |
NX_CLOUD_ACCESS_TOKEN |
Distributed caching (optional) | nx.app |
SURREALDB_* |
Local testing database | Your SurrealDB instance |
Add these environment variables to your CircleCI project settings:
- Go to CircleCI project settings
- Navigate to "Environment Variables"
- Add each required variable from your
.envfile
-
Copy the example file:
cp .env.example .env
-
Fill in your actual values in
.env -
The
.envfile will be encrypted when you commit it
To give a new team member access to encrypted files:
-
Get their GPG public key:
gpg --import their-public-key.asc
-
Add them to git-crypt:
git-crypt add-gpg-user THEIR_GPG_KEY_ID git add .git-crypt/ git commit -m "Add new team member to git-crypt" -
They can now unlock the repository:
git-crypt unlock
- ✅ Never commit unencrypted secrets
- ✅ Use specific, minimal permissions for tokens
- ✅ Rotate tokens regularly
- ✅ Use different tokens for different environments
- ✅ Review token access periodically
- ❌ Don't share tokens via chat/email
- ❌ Don't use personal tokens for CI/CD