This meme was brought to you by the PyPI Director of Infrastructure who accidentally hardcoded credentials - which could have resulted in compromissing the entire core Python ecosystem.

you are viewing a single comment's thread
view the rest of the comments

[–] dan@upvote.au 53 points 1 year ago* (last edited 1 year ago) (12 children)

At my workplace, we use the string @nocommit to designate code that shouldn't be checked in. Usually in a comment:

// @nocommit temporary for testing
apiKey = 'blah';
// apiKey = getKeyFromKeychain();

but it can be anywhere in the file.

There's a lint rule that looks for @nocommit in all modified files. It shows a lint error in dev and in our code review / build system, and commits that contain @nocommit anywhere are completely blocked from being merged.

(the code in the lint rule does something like "@no"+"commit" to avoid triggering itself)

[–] PlexSheep 9 points 1 year ago (4 children)

This sounds like a really useful solution, how do you implement something like this? Especially with linter integration

[–] zqwzzle@lemmy.ca 4 points 1 year ago (2 children)

Depending on which stack you’re using, you could use https://danger.systems to automatically fail PRs.

[–] PlexSheep 4 points 1 year ago (1 children)

PRs? Isn't the point of @nocommit that something does not get committed, and therefore no credentials are stored in the git repository? Even if the PR does not get merged, the file is still stored as a hit object and can be restored.

[–] zqwzzle@lemmy.ca 2 points 1 year ago

I read the lint part and my brain forgot about everything else. You could stick the danger call in a pre commit hook though.

load more comments (1 replies)

load more comments (8 replies)