When deploying with DeployHQ, you can exclude files and directories from being uploaded to your server. But what if you want to exclude a parent directory while still deploying specific files or subdirectories inside it?
That's where whitelisting comes in. By prefixing a rule with !, you can create exceptions within your exclusion rules — keeping specific files or directories even when their parent is excluded.
How it works
Whitelisting rules use the same syntax as exclusion rules, but with a ! prefix. They can be configured in Settings → Excluded Files in your project, or in a .deployignore file in the root of your repository.
flowchart TD
A[File in Repository] --> B{Matches exclusion rule?}
B -- No --> C[✅ Deployed]
B -- Yes --> D{Matches whitelist rule?}
D -- No --> E[❌ Excluded]
D -- Yes --> F[✅ Deployed]
Common examples
Exclude node_modules but keep a specific package
You use a vendored package that needs to be on the server, but want to exclude the rest of node_modules:
node_modules
node_modules/**
!node_modules/my-custom-package
!node_modules/my-custom-package/**
Exclude all config files but keep a template
Your config/ directory contains secrets, but you want to deploy a sample configuration:
config
config/**
!config/config.sample.php
Exclude build artifacts but keep a dist folder
You don't want source maps or test output deployed, but need the compiled assets:
build
build/**
!build/dist
!build/dist/**
Exclude all dotfiles but keep .htaccess
**/.*
!.htaccess
Syntax reference
| Pattern | Effect |
|---|---|
vendor |
Excludes the vendor directory entry |
vendor/** |
Excludes all contents inside vendor |
!vendor/autoload.php |
Whitelists a single file inside vendor |
!vendor/my-lib/** |
Whitelists an entire subdirectory |
**/*.log |
Excludes all .log files at any depth |
!logs/access.log |
Keeps one specific log file |
Important notes:
- Directory rules must not end with a trailing slash
- Use
**to recurse through nested directories - Whitelist rules are evaluated after exclusion rules
- Both project-level exclusions and
.deployignoresupport whitelisting
Using .deployignore
Instead of configuring exclusions through the DeployHQ UI, you can add a .deployignore file to the root of your repository. This keeps your exclusion rules version-controlled alongside your code:
@title: .deployignore
# Exclude dependencies
vendor
vendor/**
# But keep the autoloader
!vendor/autoload.php
!vendor/composer
!vendor/composer/**
# Exclude environment files
**/*.env
# Exclude test directories
tests
tests/**
Note that .deployignore does not support per-server exclusions — for server-specific rules, use the project settings UI.
Verifying your rules
After running a deployment, you can verify which files were excluded by checking the deployment log. During the Generate Manifest
step, DeployHQ shows a full list of excluded files for each server — a useful way to confirm your whitelist rules are working as expected.
For the full documentation on exclusion and whitelisting syntax, see our support article. You may also find these guides helpful:
- Stop certain files from being uploaded during a deployment — the basics of file exclusions
- Excluded files per server — different exclusion rules for different servers
- Building a CI/CD pipeline from scratch with DeployHQ — broader deployment automation
- Protect your environments: practical security tips — keep secrets out of deployments
Ready to streamline your deployments? Sign up for DeployHQ and get started in minutes. If you have any questions, reach out to us at support@deployhq.com or on Twitter/X @deployhq.