1

Suppose I have a git repo with app.py and I accidentally include an API key (or other secret) as plaintext in app.py in a commit that I have not yet pushed to a remote (lets say on Github).

To undo and fix this commit locally, I could:

git reset --soft HEAD~1 # ...make changes to remove the plain-text API key from app.py git add . git commit -m "some message"

Locally, I could still checkout to the ref where I accidentally committed the plaintext API Key and view the secret in app.py:

git reflog # look for ref where I accidentally committed API Key git checkout <ref from above>

If I push the commit that removes the plaintext API key (ie. commit with message "some message from above) to a remote, is there any way that the remote would still be able to 'see' the ref where the API Key was included in plaintext? Could this secret potentially end up on Github (even if just on their servers, not necessarily visible through the website/public APIs)?

Thanks very much in advance!

Improve this question
1
  • 1
    No, this kind of reset-before-push is quite safe. You do have to be sure that the chain of commits you send, with your git push, does not include the secret, but assuming it's only in the last commit—the one you remove with HEAD~1 above—you're fine. If it's in, say, two new commits, and you only remove and replace the second, that would be a problem. Commented Feb 10, 2021 at 4:07

2 Answers 2

Reset to default
0

Use git gc.

But if you push to remote repo - they will disappear over time.

More information there How to delete already removed commit from detached head?

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

@JWB, No. Your API key would be safe.

When you do reset, the commit will be removed.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.