I have a GitHub repo that is currently private. My Firebase deployment token is stored as an Env Var in the CircleCI GUI. The CircleCI 2.0 documentation clearly states
Do not add keys or secrets to a public CircleCI project
Also, from what I can find in the FAQ, a CircleCI project is made public if the associated GitHub repo is made public.
Now, I intend to open source the project on GitHub, will it make the Env Var in CircleCI visible to anyone since the CircleCI project will become public?
If the Env Var is publicly visible, what is an advised way to keep my deployment token hidden from others? Do I have to resort to a solution like git-crypt or a cloud based KMS?
Here’s a link to my StackOverflow question: