Skip to main content
One gitignore to rule them all. Never commit secrets or AI local state — not by accident, not by habit.
The dryvist/.github repo ships a canonical .gitignore baseline at configs/gitignore. Every new repo adopts it by appending (not overwriting) to the repo’s own .gitignore, preserving repo-specific entries while inheriting the org-wide safety floor.

What it covers

The baseline targets two categories of files that must never reach git history: Secrets and credentials
  • .env, .env.* (except .env.example) — never commit real env files
  • *.pem, *.key, *.p12, *.pfx — private keys
  • terraform.tfvars (unencrypted), credentials.json, secrets.yaml (unencrypted)
AI-assistant local / machine state
  • .claude/mcp_settings.json — MCP server list (can contain tokens)
  • CLAUDE.local.md, AGENTS.local.md, .envrc.local — local overrides (gitignored by convention)
  • *.local.md — any local-only markdown
Intentional carve-outs (do NOT add these back to .gitignore):
PathWhy it’s committed
.envrcuse flake directive; the SOPS_AGE_KEY_FILE path is not a secret
*.sops.yaml / *.sops.ymlSOPS-encrypted ciphertext — safe to commit
.terraform.lock.hclProvider lock file — committed by convention
.claude/settings.jsonProject AI config — committed on purpose
.claude/rules/, committed skills/agentsProject Claude Code config
CLAUDE.md, AGENTS.mdProject AI instructions

Adopting in a new repo

gh api repos/dryvist/.github/contents/configs/gitignore \
  -H "Accept: application/vnd.github.raw" >> .gitignore
Use >> (append) so repo-specific entries are preserved. De-duplicate afterward if needed.

Scope

The baseline covers secrets and AI state only — it is not a comprehensive language gitignore. Pair it with a language-specific template (GitHub’s .gitignore templates, gitignore.io) for full coverage.

Future work

  • Automate adoption in the repo scaffold / copier template so new repos inherit the baseline at creation time rather than manually.
  • Add a pre-commit hook that checks for .env files without the example suffix before every commit.