1

So I forked a repo from a public repo, and accidentally pushed to my repo a file that contains my credentials to it. After deleting my forked repo on GitHub and credentials from provider as well, I forked it again and found that my pushed commit is still there on 'tree' branch on my newly forked repo (accessible by the link attached with provider notice email ). and it says that the original owner is collaborator, which is likely could have seen it. So for now I deleted that repo again.

Is there any way to delete that 'tree' branch which contains my API key and fork it fresh with no history? or it is enough to just disable API key? (but can't fork that repo anymore.) Thank you.

itonia.x.i
  • 27
  • 5
  • 1
    I think you should get help from Github support. – j6t Mar 30 '20 at 10:36
  • 1
    Does this answer your question? [Remove sensitive files and their commits from Git history](https://stackoverflow.com/questions/872565/remove-sensitive-files-and-their-commits-from-git-history) – phd Mar 30 '20 at 11:37
  • https://stackoverflow.com/search?q=%5Bgithub%5D+remove+sensitive+file – phd Mar 30 '20 at 11:37
  • Especially this answer: https://stackoverflow.com/a/32840254/7976758 – phd Mar 30 '20 at 11:37
  • I just tried using filter-branch as suggested, and while on my master branch the file has gone, those credentials still accessible by link (). seems like solution you proposed only applicable on self-owned repo, not from other owner and I have forked it like this case. – itonia.x.i Mar 30 '20 at 12:08
  • the problem is, the original repo owner as collaborator might could see that file. (I revoked that so it (might) just fine) – itonia.x.i Mar 30 '20 at 12:12

1 Answers1

2

You need to assume that your credentials are public and revoke them. At this point, anyone could have found them.

The reason you're seeing this is because GitHub shares objects across repositories in a network. When you create a repository, all of the objects of the original repository and all the forks are shared in one location. Therefore, deleting your repository doesn't help, because those objects will reappear.

You can contact GitHub Support after reading the documentation on this, but as the documentation says, you have to assume your credentials are public now. If you don't care that the credentials are public because you've revoked them, then there's nothing to do and you can go on merrily about your life.

bk2204
  • 64,793
  • 6
  • 84
  • 100
  • it is because I don't have my fork anymore, it is 404 not found when I followed the link but not when I have the forked repo. will it won't be found if I made it private? but do the original repo owner still could see it? – itonia.x.i Mar 30 '20 at 11:21
  • 1
    @itonia.x.i It doesn't matter whether anyone else can see them *now*. Remember that someone—anyone—could see them, if only for just one minute or so, the moment after you pushed the commit you should not have pushed. Suppose that someone, somewhere, *did* see the credentials and *copied them* and now has them available on a black-hat site. Removing the GitHub copy won't affect the black-hat site's copy. – torek Mar 30 '20 at 21:19
  • 1
    The data is still there and still visible, even if you've deleted your fork, because GitHub does not usually garbage-collect data. You must revoke those credentials and assume they're compromised, since anyone could have seen them or could still. – bk2204 Mar 30 '20 at 22:23
  • alright, just to make sure anyone can't use those credentials, I have revoked it. then I could sleep well tonight and after. thank you. – itonia.x.i Mar 31 '20 at 02:58