chore(security): externalize secrets to git-ignored application-local.yml

Remove hardcoded DB credentials and YouTube API key fallbacks from application.yml; resolve them from env vars or an optional, git-ignored application-local.yml (spring.config.import). Add a tracked application-local.yml.example template and ignore the real local file. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-31 16:08:26 +09:00 · 2026-05-31 16:08:26 +09:00 · fd8403438e
commit fd8403438e
parent 2cdae03998
3 changed files with 18 additions and 5 deletions
--- a/.gitignore
+++ b/.gitignore
@ -11,6 +11,7 @@ out/

 # Secrets (DO NOT COMMIT)
 src/main/resources/credentials.json
+src/main/resources/application-local.yml
 tokens/
 *.log

--- a/src/main/resources/application-local.yml.example
+++ b/src/main/resources/application-local.yml.example
@ -0,0 +1,8 @@
+# Template for local secrets. Copy to `application-local.yml` (git-ignored)
+# and fill in real values, or supply these as environment variables instead.
+# application.yml imports application-local.yml optionally and resolves these
+# placeholders from it.
+DB_URL: jdbc:postgresql://<host>:5432/<db>
+DB_USERNAME: <username>
+DB_PASSWORD: <password>
+YOUTUBE_API_KEY: <youtube-data-api-key>
--- a/src/main/resources/application.yml
+++ b/src/main/resources/application.yml
@ -1,11 +1,15 @@
 spring:
  application:
    name: h-lab
+  # Secrets are supplied via environment variables, or a git-ignored
+  # application-local.yml (see application-local.yml.example). No secrets here.
+  config:
+    import: optional:classpath:application-local.yml
  datasource:
-    url: ${DB_URL:jdbc:postgresql://122.46.74.90:5432/hlab}
+    url: ${DB_URL:}
    driverClassName: org.postgresql.Driver
-    username: ${DB_USERNAME:hylee}
-    password: ${DB_PASSWORD:hylee123!@#}
+    username: ${DB_USERNAME:}
+    password: ${DB_PASSWORD:}
  jpa:
    database-platform: org.hibernate.dialect.PostgreSQLDialect
    hibernate:
@ -37,10 +41,10 @@ springdoc:
 server:
 port: 8088

-# YouTube Data API 키 (환경변수 YOUTUBE_API_KEY 로 오버라이드 가능, 기본값은 기존 키)
+# YouTube Data API 키 (YOUTUBE_API_KEY 환경변수 또는 application-local.yml 로 주입)
 youtube:
  api:
-    key: ${YOUTUBE_API_KEY:AIzaSyB1oh0pahAf0xl0DMRQnuqxrC1uapxHHKk}
+    key: ${YOUTUBE_API_KEY:}

 hlab:
  # 정기 자동 수집: 등록 채널의 신규 Shorts 를 주기적으로 수집