What is that file for? Per path settings.
One of those settings is filter which can transform a file
when it's staged clean and when its checked out smudge.
age Because why not have a sane file encrypting tool?
Yes, this global config. But your secrets are global too, surely can't hurt much.
Use ascii armoured because binary files look weird on the web.
1# ~/.config/git/config
2[filter "ageencrypt"]
3 clean = age -r age14mg08panez45c6lj2cut2l8nqja0k5vm2vxmv5zvc4ufqgptgy2qcjfmuu -a -
4 smudge = age -d -i ~/.ssh/age.key -
5 required = true
This is per repo config
secret.yaml filter=ageencrypt