According to most of what I'm seeing temporary commits that you un-commit are the only way to rebase a stash.
This seems like an awfully difficult and dangerous thing to try to test in my situation.
do temporary commits go into the you-can-never-delete-these-from-your-history such that passwords in local edits are now part of what you git push master ?
I’m not sure what you mean with “awfully difficult” or “dangerous”. You can’t really mess up much since you can always recover the old situation; and creating an additional commit will definitely never make a problem you didn’t have before.
As for your second question, every commit—including implicit commits that are created when you stash (because stashing internally creates commits)—is stored in the object database of your local repository. So yes, if you had for example passwords in your code then those are stored somewhere in the object database. But neither committing nor stashing is the actual culprit here: Just doing git add on a file will put the file contents in the database, so technically that’s already saving those passwords.
But usually that’s not really a problem. It’s your local repository, so nothing that isn’t accessible from branches will be published to other repositories when you push or someone pulls from you. And if nothing references those objects, they will eventually be garbage collected by Git.
