.secrets -

# .secrets.template DATABASE_PASSWORD=<your-local-password> API_KEY=<get-from-vault> The developer copies .secrets.template to .secrets and fills in the blanks. The template contains no real secrets, so it is safe in Git. The .secrets file is a bridge technology. It is human-readable, easy to debug, and works everywhere. But the industry is moving toward ephemeral secrets and OIDC (OpenID Connect) .

However, we are not there yet. For the next five years, every developer will still touch a .secrets file. It is the last line of defense between your code and a catastrophic data breach. The .secrets file is tiny, unassuming, and dangerously powerful. It demands respect. .secrets

In the future, you won't have a file at all. Your application will ask the cloud provider: "Who am I?" The cloud says: "You are EC2 instance i-1234." The application then gets a short-lived token (valid for 1 hour) from the vault. No static .secrets file exists anywhere. It is human-readable, easy to debug, and works everywhere