After reading How GitHub became the web’s largest font piracy site (and how to fix it) I was wondering how I can avoid uploading/publishing font files on GitHub, considering that most of my sites are deployed by Netlify, and require all files to be inside the repository.

At first I tried to encrypt the fonts using a 7z archive. Unfortunately, 7zip can not be used inside Netlify deploys, so I decided to try and download an archive from a secret, remote location before building the project:

"scripts": {
  "build": "npm run fonts:fetch && gatsby build",
  "fonts:fetch": "wget -O Fonts.zip $SECRET_FONTS_URL; unzip Fonts.zip -d ./static/fonts; rm Fonts.zip",
}

I run an NPM Script called fonts:fetch, which will download a zip file from a secret location specified inside an environment variable. This zip file can then be extracted to a desired location and Netlify can use it inside the building process.

Inside my deploy settings, I can then set that secret URL:

... which ensures that no trace of the font files is left inside the repository! 👮‍♂️