yiekheng/cm_whatsapp_bot_v1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
cm_whatsapp_bot_v1/.gitignore
yiekheng 58b249097a security: untrack envs/ENV (leaked DB password + AUTH_SECRET) 
Commit 6893ca6 accidentally pushed envs/ENV — a real env file with
DATABASE_URL (including the wabot DB password) and AUTH_SECRET.
The file's gone from HEAD now; the secrets are STILL in git history
at 6893ca6 and must be rotated:

  1. Postgres role 'waBot' password — change on the wabot DB and
     update DATABASE_URL on every deploy that uses it.
  2. AUTH_SECRET — regenerate with scripts/gen_auth_secret.sh and
     bump OPERATOR_TOKEN_VERSION at the same time so every existing
     session cookie also invalidates.

.gitignore now ignores everything in envs/ except .env.example so
the same shape of leak (envs/<anything>) can't recur.

If you'd rather scrub the secret from history outright, the only
clean option is a force-push that rewrites 6893ca6:
  git filter-repo --invert-paths --path envs/ENV
  git push --force origin master
That destroys the existing remote SHA, which other clones will need
to reset to. Defaults to 'rotate, don't rewrite' unless explicitly
asked.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-10 22:14:44 +08:00

48 lines
1.0 KiB
Plaintext
Raw Blame History

# deps
node_modules/
.pnpm-store/
# build outputs
dist/
.next/
.turbo/
*.tsbuildinfo
# serwist emits these into apps/web/public/ on every production build.
# Icons (icon-*.png, apple-touch-icon.png) ARE committed; the generated
# service-worker bundle is regenerated by the build itself.
apps/web/public/sw.js
apps/web/public/swe-worker-*.js
# env files: per project decision, .env.development and .env.production
# ARE committed to this private Gitea. Only ignore example overrides:
.env.local
.env.*.local
# Anything inside envs/ EXCEPT the example template — a real env
# file (envs/ENV) leaked once into commit 6893ca6 carrying the DB
# password and AUTH_SECRET. Whitelist .env.example explicitly so a
# future copy-paste of envs/.env.example into envs/ENV (or any other
# name) gets blocked at git add time.
envs/*
!envs/.env.example
# logs
*.log
npm-debug.log*
pnpm-debug.log*
# editor
.vscode/
.idea/
*.swp
.DS_Store
# runtime data (mounted volumes from compose)
dev-data/
data/
# test coverage
coverage/
.vitest-cache/
session
Reference in New Issue View Git Blame Copy Permalink