I accidentally committed some secret data in a private git repo. Fortunately it's only used by a small number of people, so I looked up a guide on how to remove a commit and I decided to remove my entire branch (it's ok, I can redo the work).
$ git reset --hard <last-good-commit-hash>
$ git push -f master
I check the git logs for my bad commit id, and it's gone! I remove my repo and re-clone, and it looks like everything is good. However, I can still access the secret data at https://gitlab.com/group/project/-/commit/bad-commit-hash! Furthermore, I can do
$ git clone git@gitlab.com:group/project.git
$ cd project
$ git checkout <bad-commit-hash>
fatal: reference is not a tree: <bad-commit-hash>
$ git fetch --depth=1 git@gitlab.com:group/project.git <bad-commit-hash>
remote: Enumerating objects: 18, done.
remote: Counting objects: 100% (18/18), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 6 (delta 3), reused 0 (delta 0), pack-reused 0
Unpacking objects: 100% (6/6), 2.59 KiB | 2.59 MiB/s, done.
From gitlab.com:group/project
* branch <bad-commit-hash> -> FETCH_HEAD
$ git checkout <bad-commit-hash>
Note: switching to '<bad-commit-hash>'.
along with some text about being in a detached HEAD state. If I instead try to pull the same trick on a freshly-cloned local copy of the repo, it doesn't work:
$ git fetch .git <bad-commit-hash>
fatal: git upload-pack: not our ref <bad-commit-hash>
fatal: remote error: upload-pack: not our ref <bad-commit-hash>
I don't understand how this is possible? How can I clone the repo and the commit doesn't exist, but I can still fetch the commit from the same repo. Is this a gitlab-specific issue?
Any help would be greatly appreciated. At this point I'm looking at rotating the key and/or deleting the entire project and re-creating from my local repo.
