This project follows strict security practices to prevent credential leaks.
- NEVER commit API keys, service account JSONs, or passwords to git.
- Use
.envfiles for local development (which are gitignored). - Use
lib/core/util/logger.dart(Logclass) instead ofprintto prevent leaking data in release builds.
Local development uses flutter_dotenv.
Create a .env file in the root directory (see .env.example):
FIREBASE_PROJECT_ID=your-project-id
STORAGE_BUCKET=your-bucket-url
SUPABASE_URL=your-supabase-url
SUPABASE_ANON_KEY=your-supabase-keyProduction builds inject secrets via --dart-define.
Go to Settings > Secrets and variables > Actions in your GitHub repository and add:
FIREBASE_PROJECT_IDSTORAGE_BUCKETFIREBASE_OPTIONS_BASE64(Base64 encoded content of lib/firebase_options.dart)SUPABASE_URLSUPABASE_ANON_KEYKEYSTORE_PASSWORD(if using signing)KEY_PASSWORD(if using signing)KEY_ALIAS(if using signing)
If you accidentally commit a secret:
- Revoke the secret immediately.
- Rewrite git history using
git filter-branchor BFG Repo-Cleaner. - Force push the clean history.
Please report security vulnerabilities to the project maintainers privately.