Why can't you commit a .env file?

devmtk1 pts0 comments

You can t commit a .env file to Git is a sentence we ve all heard. Most people accepted it and went on with their lives, using other tools to share environment variables.But the question we should ask is: why can t I commit a .env file to Git?The honest answer isn t that it s bad practice. It s that Git has no permission system below the repository level. It s all or nothing. You see everything, or you see nothing. The entire secret-manager industry exists to paper over this one missing primitive.For too long we accepted it as a minor annoyance. That s changed. It isn t a minor annoyance anymore. It s a real problem.We now have agents monitoring every patch that merges, hunting for security fixes to turn into exploits. The patch itself is the disclosure: it hands people (and increasingly agents) everything they need to reverse-engineer the fix and hit systems that haven t updated yet. We re in the middle of a security crisis, arguing about where to store files to hide them from attackers.For the last couple of weeks I ve been thinking about this: prototyping, trying to find a compelling solution. I want to be honest, I have no idea if I found it. But I think the direction is at least interesting. Permissions, or as I prefer to call them, capabilities, should live at the content level, not the repo level. Commit the .env; just scope who s allowed to decrypt it.This is just one of the problems I have with Git(Hub), and honestly, I have no idea if anything I built is a good solution. I d love your feedback, or your rant. If you want to see how I tried to fix it, the repo is here (hosted, sarcastically, on GitHub): https://github.com/thaddeus-run/thaddeus

commit file level quot people accepted

Related Articles