Should I add the google-services.json (from Firebase) to my repository?
A google-services.json file is, from the Firebase doc:
Firebase manages all of your API settings and credentials through a single configuration file.
The file is namedgoogle-services.jsonon Android andGoogleService-Info.pliston iOS.
It seems to make sense to add it to a .gitignore and not include it in a public repo.
This was discussed in issue 26, with more details on what google-services.json contains.
A project like googlesamples/google-services does have it in its .gitignore for instance.
Although, as commented by stepheaw, this thread does mention
For a library or open-source sample we do not include the JSON file because the intention is that users insert their own to point the code to their own backend.
That's why you won't see JSON files in most of our firebase repos on GitHub.
If the "database URL, Android API key, and storage bucket" are not secret for you, then you could consider adding the file to your repo.
As mentioned in "Is google-services.json safe from hackers?", this isn't that simple though.
baueric asks in the comments:
In that post he says:
The JSON file does not contain any super-sensitive information (like a server API key)
But the
google-services.jsondoes have entry calledapi_key.
Is that a different api key than a "server api key"?
Willie Chalmers III points to "Is google-services.json safe from hackers?", and adds:
Yes, that API key isn't a server API key which should never be public, so it's fine if your
google-services.jsonis visible by others.In any case, you should still restrict how your client API key can be used in the Google Cloud console.
As noted by Puzz in the comments, see also "Is it safe to expose Firebase apiKey to the public?"
In that answer, Frank Van Puffelen mentions:
Update (May 2021): Thanks to the new feature called Firebase App Check, it is now actually possible to limit access to the backend services in your Firebase project to only those coming from iOS, Android and Web apps that are registered in that specific project.
From this discussion it seems you can add it to a public repo. Its content ends up in the APK anyway and is probably easy to extract.