GitHub for the vibe coder: repo, gh CLI, what never gets committed
A repo, the gh CLI, and a .gitignore that actually protects you. What to commit, what never to commit, and how to recover if a secret slips through.
GitHub for the vibe coder
An AI agent will run git add, git commit, and sometimes git push on your behalf. Before that happens, get the repo hygiene right - once a secret is committed, it is in the history forever unless you rewrite it.
1. Create the repo
gh auth login
gh repo create my-app --private --source=. --remote=origin
git push -u origin main
gh is GitHub’s official CLI. gh auth login handles the OAuth dance in a browser; after that, gh and git push/pull work without re-entering credentials.
Default to private. Make it public later, deliberately, once you’ve checked what’s in it.
2. The .gitignore that matters
Before your first commit, not after:
# Secrets - never committed
.env
.env.local
.env.*.local
.env.production
.dev.vars
# Dependencies and build output
node_modules
dist
dist-api
# Local data
*.db
*.db-wal
*.db-shm
The .env* lines are the ones that matter most. An agent working fast will happily read your API keys from .env to make a request - that’s fine, it needs them to run the app - but it should never be able to git add that file because it isn’t tracked in the first place.
3. What to commit vs never commit
Commit: source code, migrations, wrangler.toml / systemd unit templates (with placeholder values), package.json, content files, this project’s own CLAUDE.md or agent instructions.
Never commit: .env* files, API keys and tokens in any form, database dumps, .pem/.key TLS files, session secrets, anything with a customer email address in it.
If you’re not sure whether a file is safe, ask: “if this repo goes public tomorrow, does this file cause damage?” If yes, it’s in .gitignore.
4. If a secret already got committed
Rotate the secret first - assume it’s compromised the moment it hits git, even in a private repo (private repos get made public by accident, collaborators get added, forks happen).
git log --all --full-history -- .env # confirm it's in history
To actually remove it from history (not just the latest commit), use git filter-repo or BFG Repo-Cleaner - a plain git rm + commit only removes it going forward, the secret is still readable in old commits. This is a destructive rewrite (changes every commit hash after the leak), so coordinate with anyone else who has the repo cloned.
5. Branch protection, if you’re not solo
For a solo vibe coder shipping direct-to-prod, branch protection and required reviews are usually overhead - you’re both the author and the reviewer. Turn it on once a second person joins:
gh api repos/{owner}/{repo}/branches/main/protection \
--method PUT \
-f required_pull_request_reviews.required_approving_review_count=1
Until then, the safety net is simpler: commit before you let an agent make changes, so git diff and git checkout . are always your undo button.
New models & deals, once a month
New proprietary and open-source models worth trying, price drops, and the best deals on AI coding plans. No spam.