One gitignore to rule them all. Never commit secrets or AI local state — not by accident, not by habit.The
dryvist/.github repo ships a canonical .gitignore baseline at configs/gitignore. Every new repo adopts it by appending (not overwriting) to the repo’s own .gitignore, preserving repo-specific entries while inheriting the org-wide safety floor.
What it covers
The baseline targets two categories of files that must never reach git history: Secrets and credentials.env,.env.*(except.env.example) — never commit real env files*.pem,*.key,*.p12,*.pfx— private keysterraform.tfvars(unencrypted),credentials.json,secrets.yaml(unencrypted)
.claude/mcp_settings.json— MCP server list (can contain tokens)CLAUDE.local.md,AGENTS.local.md,.envrc.local— local overrides (gitignored by convention)*.local.md— any local-only markdown
.gitignore):
| Path | Why it’s committed |
|---|---|
.envrc | use flake directive; the SOPS_AGE_KEY_FILE path is not a secret |
*.sops.yaml / *.sops.yml | SOPS-encrypted ciphertext — safe to commit |
.terraform.lock.hcl | Provider lock file — committed by convention |
.claude/settings.json | Project AI config — committed on purpose |
.claude/rules/, committed skills/agents | Project Claude Code config |
CLAUDE.md, AGENTS.md | Project AI instructions |
Adopting in a new repo
>> (append) so repo-specific entries are preserved. De-duplicate afterward if needed.
Scope
The baseline covers secrets and AI state only — it is not a comprehensive language gitignore. Pair it with a language-specific template (GitHub’s.gitignore templates, gitignore.io) for full coverage.
Future work
- Automate adoption in the repo scaffold / copier template so new repos inherit the baseline at creation time rather than manually.
- Add a pre-commit hook that checks for
.envfiles without the example suffix before every commit.