Labels: security, priority: high
Summary
secrets.defaults.properties is committed to the repository root. Per the README:
"Copy the defaults file and fill in real values: cp secrets.defaults.properties secrets.properties"
This workflow — copy a committed defaults file, fill in real credentials, use locally — is the most common pattern that leads to accidental secret commits. A contributor who misremembers that secrets.properties (not secrets.defaults.properties) is gitignored, or whose IDE auto-stages files, can easily commit real TMDB API keys, Trakt client secrets, or Supabase anon keys into a fork of this 544-star public repository.
Additionally, the defaults file itself may contain placeholder strings that some contributors copy verbatim into CI environment variables, producing silent failures that are hard to debug.
Proposed solution
- Replace
secrets.defaults.properties with a secrets.defaults.properties.template that contains only key names and inline comments describing where to obtain each credential — no placeholder values that look like real secrets (e.g. TMDB_API_KEY= not TMDB_API_KEY=your_key_here).
- Add a Gradle
check task or a pre-commit hook that validates secrets.properties is not staged for commit — similar to the pattern used by the google-services.json gitignore convention.
- Add a
## Local Secrets Setup section to the README explicitly warning: "Do not rename secrets.defaults.properties to secrets.properties. Copy it instead. The defaults file is public; secrets.properties is gitignored."
- Verify
.gitignore covers secrets.properties (it does per README), google-services.json, and any generated keystore.properties.
I'd like to be assigned this issue. I'd scope the first PR as the template rename + README warning — fast, immediately protective for every future contributor.
Labels: security, priority: high
Summary
secrets.defaults.propertiesis committed to the repository root. Per the README:This workflow — copy a committed defaults file, fill in real credentials, use locally — is the most common pattern that leads to accidental secret commits. A contributor who misremembers that
secrets.properties(notsecrets.defaults.properties) is gitignored, or whose IDE auto-stages files, can easily commit real TMDB API keys, Trakt client secrets, or Supabase anon keys into a fork of this 544-star public repository.Additionally, the defaults file itself may contain placeholder strings that some contributors copy verbatim into CI environment variables, producing silent failures that are hard to debug.
Proposed solution
secrets.defaults.propertieswith asecrets.defaults.properties.templatethat contains only key names and inline comments describing where to obtain each credential — no placeholder values that look like real secrets (e.g.TMDB_API_KEY=notTMDB_API_KEY=your_key_here).checktask or a pre-commit hook that validatessecrets.propertiesis not staged for commit — similar to the pattern used by thegoogle-services.jsongitignore convention.## Local Secrets Setupsection to the README explicitly warning: "Do not renamesecrets.defaults.propertiestosecrets.properties. Copy it instead. The defaults file is public;secrets.propertiesis gitignored.".gitignorecoverssecrets.properties(it does per README),google-services.json, and any generatedkeystore.properties.I'd like to be assigned this issue. I'd scope the first PR as the template rename + README warning — fast, immediately protective for every future contributor.