dupligit
v1.0.2
Published
Sanitize and mirror a private repo to a public repo using simple JSON-configured regex rules and ignore globs.
Maintainers
Readme
dupligit
Sanitize & mirror a private repository to a public one on every push — with a tiny config-driven tool. Ideal for maintaining a public repo from a parent repo that has secrets or sensitive data.
- 🧽 Replace secrets using simple regex rules
- 🚫 Skip sensitive files using ignore globs
- 🔁 Push the sanitized tree to a target repo/branch
- 🧰 Use as a CLI or GitHub Action
- 🪶 Minimal deps: only
minimatch
Install (CLI)
# local use
npm i -D dupligit
npx dupligit --helpOr run via node if vendored in your repo:
node node_modules/dupligit/bin/dupligit.jsConfig
Create a dupligit.config.json at the root of your private repo:
{
"targetRepo": "https://github.com/you/your-public-mirror",
"targetBranch": "main",
"rules": [
{ "pattern": "API_KEY=.*", "replacement": "API_KEY=YOUR_API_KEY_HERE", "flags": "g" },
{ "pattern": "password\\s*=\\s*[\"'][^\"']+[\"']", "replacement": "password = \"REDACTED\"", "flags": "gi" }
],
"ignore": [
"*.env",
"*.env.*",
".env*",
"secrets/",
"private/",
"*.key",
"*.pem",
"config/production.*",
"dupligit.config.json"
]
}You can also set
DUPLIGIT_CONFIG=path/to/config.jsonin the environment.
Usage
# from the root of your private repo
export DUPLIGIT_TOKEN=<gh_pat_with_repo_scope>
npx dupligit -vOptions:
-c, --configPath to config JSON (defaults todupligit.config.json)-f, --forceForce push to target branch-v, --verboseVerbose logs
GitHub Action
use npx dupligit-setup-action to automatically do the following or manually
Add a workflow to your private repo at .github/workflows/dupligit.yml:
name: dupliGit (Mirror)
on:
push:
branches: [ "**" ] # or your source branch
jobs:
mirror:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-node@v4
with:
node-version: '20'
- run: npm i dupligit@latest
- run: npx dupligit -f -v
env:
DUPLIGIT_TOKEN: ${{ secrets.DUPLIGIT_TOKEN }}Auth: Create a fine-scoped PAT on the target GitHub account/repo with permission to push to the target repo. Save it as
DUPLIGIT_TOKENin the private repo’s settings.
How it works
- Lists tracked files via
git ls-files. - Excludes any paths matching the
ignorepatterns. - Reads each remaining file:
- If binary, copies as-is.
- If text, sequentially applies each regex rule to the file content.
- Initializes a temp Git repository, commits, and pushes to the
targetRepo/targetBranch.
Safety tips
- Prefer deny-by-default ignores; add folders like
secrets/,private/,*.env,*.pem. - Redaction regexes should be specific; test with representative samples.
- Consider adding a pre-push hook in your private repo to run
dupligitand block pushes if redaction fails. - Run against a throwaway target repo first to verify results.
Troubleshooting
- No changes to publish. — After replacements, nothing changed between runs.
- Auth failures. — Ensure
DUPLIGIT_TOKENhas push rights totargetRepo. If yourtargetRepois not on GitHub, embed credentials in the URL or configure your git credential helper. - Line endings. — The tool preserves your file’s original line endings. Configure
.gitattributesif you need normalization.
License
MIT
Extra auth options
In addition to using DUPLIGIT_TOKEN env or Git credential helpers, you can specify:
"sshKey": "/path/to/private/key"
dupligit willssh-addthis key before pushing."tokenCommand": "gh auth token"
dupligit will run the command and use its stdout as the token.
Example:
{
"targetRepo": "[email protected]:you/your-public-mirror.git",
"sshKey": "~/.ssh/dupligit_mirror",
"tokenCommand": "pass show github/dupligit-token",
"rules": [],
"ignore": []
}Authentication options
Pick one — no secrets in files required:
1) SSH deploy key (recommended for local hooks)
ssh-keygen -t ed25519 -C "dupligit-mirror" -f ~/.ssh/dupligit_mirror
# Add ~/.ssh/dupligit_mirror.pub as a Deploy Key (with write) on the public mirror repoIn dupligit.config.json:
{ "targetRepo": "[email protected]:you/your-public-mirror.git", "sshKey": "~/.ssh/dupligit_mirror" }2) Environment token (simple for CI)
export DUPLIGIT_TOKEN=<gh_pat_with_repo_scope>
npx dupligit3) tokenCommand (pull token from a safe helper)
{ "tokenCommand": "gh auth token" }dupligit will run the command and use its stdout as the token if no env token is set.
4) System Git credential helper
Configure your OS credential store (Keychain/Manager/etc.) and do a one-time authenticated push to cache creds. dupligit will reuse them.
