1

Suppose I have a git repo with app.py and I accidentally include an API key (or other secret) as plaintext in app.py in a commit that I have not yet pushed to a remote (lets say on Github).

To undo and fix this commit locally, I could:

git reset --soft HEAD~1
# ...make changes to remove the plain-text API key from app.py
git add .
git commit -m "some message"

Locally, I could still checkout to the ref where I accidentally committed the plaintext API Key and view the secret in app.py:

git reflog
# look for ref where I accidentally committed API Key
git checkout <ref from above>

If I push the commit that removes the plaintext API key (ie. commit with message "some message from above) to a remote, is there any way that the remote would still be able to 'see' the ref where the API Key was included in plaintext? Could this secret potentially end up on Github (even if just on their servers, not necessarily visible through the website/public APIs)?

Thanks very much in advance!

JWB
  • 38
  • 4
  • 1
    No, this kind of reset-before-push is quite safe. You do have to be sure that the chain of commits you send, with your `git push`, does not include the secret, but assuming it's *only* in the last commit—the one you remove with `HEAD~1` above—you're fine. If it's in, say, *two* new commits, and you only remove and replace the second, *that* would be a problem. – torek Feb 10 '21 at 04:07

2 Answers2

0

Use git gc.

But if you push to remote repo - they will disappear over time.

More information there How to delete already removed commit from detached head?

Artem Pakhomov
  • 71
  • 5
0

@JWB, No. Your API key would be safe.

When you do reset, the commit will be removed.

Sohail
  • 303
  • 1
  • 10