This repo intentionally supports local operations via .env.local (gitignored). Do not commit secrets or service-account keys.
Objective: reduce risk from keeping a GSC service-account JSON key inside the repo (even if gitignored).
- Choose a location outside the repo, e.g.:
~/.config/fractionalcfoschool/credentials/gsc-service-account.json
- Create the folder and move the key:
mkdir -p ~/.config/fractionalcfoschool/credentialsmv ./.gcloud-service-account.json ~/.config/fractionalcfoschool/credentials/gsc-service-account.json
- Lock down file permissions:
chmod 600 ~/.config/fractionalcfoschool/credentials/gsc-service-account.json
- Update
.env.localto pointGOOGLE_APPLICATION_CREDENTIALSat the new absolute path. - Ensure the old key file is removed from the repo working tree and never committed:
- If it was ever committed, remove it from git history and rotate immediately.
- In Google Cloud Console: IAM & Admin → Service Accounts → select the service account → Keys.
- Create a new key (JSON) and download it to the external location above.
- Update local
.env.localto point to the new key path. - Run
python3 scripts/company_snapshot.py --section seoand confirm GSC data is present (nogsc_error). - After verification, delete/disable the old key in the Console.
Prefer keyless auth for production workloads (e.g. Workload Identity / short-lived credentials) or store keys only in a secret manager and mount them at runtime. Keep this repo key-free.