8

I made a commit in my git repo and pushed it, but accidentally it contained some passwords for our production machines. So I deleted the commit:

git reset --hard HEAD~1
git push --force

That indeed removed the commit from the list of commits, but the url to the commit on gitlab still shows the source of the commit.

I'm not sure whether this is git which still saves the contents of the commit on the gitlab servers, or the gitlab databases which somehow store the contents of the commit, but I really need to completely remove that commit from the gitlab servers.

Does anybody know a way to completely remove a commit and it's contents from gitlab?

kramer65
  • 50,427
  • 120
  • 308
  • 488
  • 5
    This probably goes without saying, but be sure to change those passwords regardless. – jsageryd Apr 04 '18 at 09:59
  • 5
    I don't know if GitLab keeps a copy. Git keeps the commit until it is garbage collected. You can trigger an early garbage collection. See if running `git gc --prune=now` in the repo on the server helps. – jsageryd Apr 04 '18 at 10:05
  • Look at [this](https://stackoverflow.com/a/3293592/9766958) – Filippo Nov 18 '21 at 14:07

3 Answers3

2

As you may have noticed, even if you rewrite your git history and force-push the change to the repository, the removed commits will still be present in several places in GitLab. You'll notice, for example, merge requests that reference deleted commits still show the content of references in the MR. GitLab holds onto refs and their content in several places that can't be directly pushed over (protected refs not advertised by the git server) including refs/merge-requests/*, refs/pipelines/*, refs/environments/* and refs/keep-around/*.

To remove such references, you need to follow the purge files from repository history procedure in order to completely remove the content of these references from GitLab. This process is intended for helping reduce repository size, but works for your use case as well.

As mentioned in the comments, the appropriate action to take when a secret is accidentally committed is to rotate the secret. Removing it from your history doesn't necessarily stop someone who already has the secret from using it.

sytech
  • 29,298
  • 3
  • 45
  • 86
2

You can use --no-edit in this case Steps:

  • Change the Password in the file/ Remove that file
  • Run git add <changed_file>
  • Run git commit --amend --no-edit[This can change/add/remove the last commit content without additional commit]
  • Run git push --force-with-lease <remote> <branch_name>[safer way of force push] OR git push -f <remote> <branch_name>
  • Now Password you've changed or file that you removed will not display in gitlab.

Hope this helps in future.

Monish Khatri
  • 820
  • 1
  • 7
  • 24
0

You should probably start with looking at the web interface for your GitLab repository. If the branch is there, you can delete it by running 

git push <remote> :<branch>

This will replace <branch> with what's before the colon, i.e., nothing, at the specified remote. If you can't check if the branch is at the remote using the web interface, you should be able to get all the branches or at least list them using some git fetch like command, not sure how.

If the branch is not listed at the remote, you just have a local copy of what was at the remote, and you should be able to delete that copy with e.g,

git branch -D <remote>/<branch>

I can't speak for GitLab's internals, so I can't guarantee that the data will be destroyed if you do this, so you should replace all passwords as already suggested.

nixlarfs
  • 106
  • 8