I am looking to upload my code to Crates.io, but I have a concern that there is a file here which contains an API key needed for the project to work, but I keep seeing warnings suggesting I do not share it. Now, this API key is currently on a new account that I have no care for, so if I must share it, I will, but I'd rather not do that if I don't have to.
I'm assuming that with the github integration, all the code uploaded to Crates.io is everything that I have uploaded to Github, which is everything aside from the usual Rust gitignore, and the secret.txt. I'm guessing there's no way to leave that ignored in Github, but uploaded to Crates.io?
I'm guessing there's no way to leave that ignored in Github, but uploaded to Crates.io?
You don't want to do that either. If you do that, anybody on the Internet can download your package and extract the API key from it. Stuff on
crates.io is just as public as GitHub.
If you are publishing a package that needs an API key that needs to stay secret, then the user of the package needs to supply their own API key when using your code.
crates.io didn't share all source code, this wouldn't be practical; trying to give someone a program with an embedded API key, that they can only use by running the program, is a form of DRM, and we've all heard how DRM is fundamentally fragile.)