Deployment privacy with Hexo
A rookie mistake that people sometimes make is checking sensitive material into their git repository, only for it to be shared with a broader audience some time in the future. Often this sensitive material is something like a password needed for automation with another server. This mistake is fairly common.
It bears repeating: you should never check a password into a git repository.
In order deploy my blog, which is generated by Hexo, I needed to store some sensitive information. Here’s how I keep it out of my git repository.
- Create a new file with all the sensitive information. Call it
Add a deployment script to your
package_config.jsonfile which uses the new file.
- Test your deployment script.
npm run deploy
There are exceptions, of course: (1) You’re comfortable with the whole world seeing that password, or (2) You will never share the repostiory with any more people. ↩
Note: It would be slightly better to change the order to give
_config.yml,deploy.yml), but there is a bug in Hexo preventing a file beginning with
"_"from being first in the list. ↩