Critical: Never commit API keys, tokens, or credentials to version control.
The following files are in .gitignore and should NEVER be committed:
.env # Main environment configuration
.env.local # Local overrides
.env.*.local # Environment-specific local configs
*.key # Private keys
*.pem # Certificates
credentials.json # Credential files
-
Copy the template:
cp .env.example .env
-
Add your credentials:
# Edit .env with your actual values nano .env -
Verify .env is ignored:
git status --ignored | grep .env # Should show: .env (in gitignore)
Required for publishing crates to crates.io
-
Generate Token:
- Visit crates.io/me
- Click "New Token"
- Name: "Ruvector Publishing"
- Permissions: "publish-new" and "publish-update"
- Copy the token immediately (shown only once)
-
Store Securely:
# Add to .env (which is gitignored) echo "CRATES_API_KEY=your-actual-token-here" >> .env
-
Use from .env:
# Publishing script automatically loads from .env ./scripts/publish-crates.sh
Rotate API keys regularly:
# 1. Generate new token on crates.io
# 2. Update .env with new token
# 3. Test with: cargo login $CRATES_API_KEY
# 4. Revoke old token on crates.io❌ Never commit:
- API keys (crates.io, npm, etc.)
- Database credentials
- Private keys (.key, .pem files)
- OAuth tokens
- Session secrets
- Encryption keys
- Service account credentials
✅ Safe to commit:
.env.example(template with no real values)- Public configuration
- Example data (non-sensitive)
- Documentation
Before committing, verify no secrets are staged:
# Check staged files
git diff --staged
# Search for potential secrets
git diff --staged | grep -i "api_key\|secret\|password\|token"
# Use git-secrets (optional)
git secrets --scanGitHub automatically scans for common secrets. If detected:
- Immediately revoke the exposed credential
- Generate a new credential
- Update .env with new credential
- Force push to remove from history (if needed):
# Dangerous! Only if absolutely necessary git filter-branch --force --index-filter \ "git rm --cached --ignore-unmatch .env" \ --prune-empty --tag-name-filter cat -- --all
Store secrets in GitHub repository settings:
-
Go to repository Settings → Secrets and variables → Actions
-
Add secrets:
CRATES_API_KEY- for publishingCODECOV_TOKEN- for code coverage (optional)
-
Use in workflows:
- name: Publish to crates.io env: CARGO_REGISTRY_TOKEN: ${{ secrets.CRATES_API_KEY }} run: cargo publish
For local development, use .env:
# .env (gitignored)
CRATES_API_KEY=cio-xxx...
RUST_LOG=debugLoad in scripts:
# Load from .env
export $(grep -v '^#' .env | xargs)For production releases:
# Generate GPG key (if not exists)
gpg --gen-key
# Sign git tags
git tag -s v0.1.0 -m "Release v0.1.0"
# Verify signature
git tag -v v0.1.0Cargo doesn't support package signing yet, but you can:
- Sign the git tag
- Include checksums in release notes
- Provide GPG signatures for binary releases
Regularly audit dependencies for vulnerabilities:
# Install cargo-audit
cargo install cargo-audit
# Run security audit
cargo audit
# Fix vulnerabilities
cargo audit fixEnable GitHub Dependabot:
- Go to repository Settings → Security → Dependabot
- Enable "Dependabot alerts"
- Enable "Dependabot security updates"
If you discover a security vulnerability:
- Do NOT open a public GitHub issue
- Email: security@ruv.io
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- 24 hours: Initial response
- 7 days: Status update
- 30 days: Fix released (if confirmed)
Before releasing:
- No secrets in code or config files
-
.envis in.gitignore -
.env.examplehas no real values - All dependencies audited (
cargo audit) - Git tags are signed
- API keys rotated if exposed
- Security scan passed (GitHub)
- Documentation reviewed for sensitive info
For security questions:
- Email: security@ruv.io
- Documentation: docs.ruv.io
- Community: Discord