What does your root .gitignore look like?

csf

I wouldn't call this "off-topic", exactly, but there doesn't seem to be a general community banter tag, so... Move it if you need to.

Our general workflow, naturally, is to work locally, then copy the composer files to production and run the update. Occasionally we'll make the production database available to team contributors so they can update their locals, but not routinely since it's not necessary to have every discussion for minor presentational fiddling, etc.

We also keep a GitHub repo so new team contributors have access. But we don't make the database available to the public, naturally, and we ignore a few things in the file tree for similar reasons. That said, we want to make the repo as complete as possible without the needless, sensitive, and private stuff. "Needless" in this case would mean things like cache files.

Following is our current .gitignore file in root. Any suggestions for improvement? Are there glaring security issues? Are we being too strict on the /storage folder? I.e., could we let some child things there through? What about the composer.lock and .json files? What do you do?

*~

## Ignore configuration file (sensitive info) in root folder, of course.
config.php

## Ignore configurable .htaccess in root folder.
/.htaccess

## Ignore user avatars. Needed for local dev and production, but not the public repo.
/assets/avatars/*

## Ignore 'storage' folder and everything in it.
storage/

## Ignore .js and .css cache files in root of 'assets' folder.
/assets/*.js
/assets/*.css

ivangretsky

Was looking for exactly that and found this interesting topic without any replies. Judging by the code in the .gitignore above Flarums's folder structure changed quite a bit since 2016. So decided to write something myself (I am on beta 8.1).

I am also used to keep my project under source control (git). But for now I do not see much to put under source control It seems to me that almost everything should be ignored, but composer.json and composer.lock.

# It is advised to ignore config with database credentials. 
# But we probably should provide a demo config.php to start from.
config.php

# These seem to be all temporary files.
storage/

# Composer 'vendor' folder is generally ignored.
vendor/

# We do not need user avatars under source control
public/assets/avatars/

I still don't understand, should we keep other contents of public folder. But we probably should. All those js and css files are autocreated and recreated on cache refresh (with exact same names if nothing changes), but logo and favicon files seem to be actually stored in public/ folder.

Maybe someone more experienced could shed some light?