You just got a new Arduino board (maybe a wifi enabled one), you wrote a useful application and you are about to share it on GitHub.
If your code looks like this:
|
|
do not share it! You would leak your ESSID, password and maybe othere secrets to everyone.
Store secrets in an external file
Create a separate file named arduino_secrets.h:
|
|
and change the main file in this way:
|
|
Note: using the SECRET_... naming convention is also useful if you use the Arduino Web Editor https://create.arduino.cc/projecthub/Arduino_Genuino/store-your-sensitive-data-safely-when-sharing-a-sketch-e7d0f0 because these values will be automatically added to a secret tab and will only be visible to you, even if you share your project.
Exclude secrets file from git
Moving secrets to arduino_secrets.h would be pointless if we pushed this file to GitHub. To avoid this mistake, add arduino_secrets.h to .gitignore (create it in the root of the project if it doesn’t exist already).
Add an example for secrets file
If you simply hide the original arduino_secrets.h, other users who would like to reuse your code may not know what to put inside. Create an example file named arduino_secrets.h.example with dummy values:
|
|
and document that this needs to be renamed to arduino_secrets.h
What if I need to build my code in a CI?
In case you want to build your code in a CI environment, the full source code needs to be there, but at the same time you still don’t want to push your secrets to GitHub. What to do then?
Store your secrets in environment variables
Create an environment variable in your CI (or set it locally on your machine if you want to build it locally) for each secret:
|
|
Create a Makefile
Add a Makefile to your project, similar to this one:
|
|
If you run make you will generate a file named arduino_secrets.h containing the proper values.
Conclusion
There may be alternative methods to safely store secrets. If you know a better one, you can leave a comment below.