David A. Antler

Deployment privacy with Hexo

A rookie mistake that people sometimes make is checking sensitive material into their git repository, only for it to be shared with a broader audience some time in the future. Often this sensitive material is something like a password needed for automation with another server. This mistake is fairly common.

It bears repeating: you should never check a password into a git repository[1].

In order deploy my blog, which is generated by Hexo, I needed to store some sensitive information. Here’s how I keep it out of my git repository.

  1. Create a new file with all the sensitive information. Call it deploy.yml.
1
2
3
4
5
6
7
8
9
10
# deploy.yml
#
# Deployment
## Docs: https://hexo.io/docs/deployment.html
deploy:
  type: sftp
  host:
  user:
  pass: [sensitive data!]
  remotePath:

  1. Add deploy.yml and _multiconfig.yml to your .gitignore file.

  2. Add a deployment script to your package_config.json file which uses the new file.[2]

1
2
3
"scripts": {
  "deploy": "hexo deploy --generate --config deploy.yml,_config.yml"
}
  1. Test your deployment script.
1
npm run deploy

  1. There are exceptions, of course: (1) You’re comfortable with the whole world seeing that password, or (2) You will never share the repostiory with any more people.

  2. Note: It would be slightly better to change the order to give deploy.yml preference (e.g., deploy.yml,_config.yml_config.yml,deploy.yml), but there is a bug in Hexo preventing a file beginning with "_" from being first in the list.

Home