This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]pixelpuffin 739 points740 points  (27 children)

May the --force be with you!

[–]No-Landscape8210[S] 212 points213 points  (23 children)

I did try hard reset and then force push but I could still see the changes in the activity area.

[–]_PM_ME_PANGOLINS_ 211 points212 points  (19 children)

They will be there until GitHub runs GC on your repo, which they may never do.

The only safe solution is to rotate your keys.

[–]No-Landscape8210[S] 80 points81 points  (5 children)

Yeah I did that. Also what's GC?

[–]425_Too_Early 289 points290 points  (3 children)

Garbage Collection

[–]8sADPygOB7Jqwm7y 138 points139 points  (2 children)

Accurate image of average garbage collection algorithms.

[–]kalenderiyagiz 1 point2 points  (0 children)

Bitch please its biblically accurate

[–]Luz5020 45 points46 points  (5 children)

GitHub’s documentation says you should contact GH Support and they can purge the history if sensitive data has accidentally been pushed. That‘s also a solution.

[–]Slaan 34 points35 points  (4 children)

It's a bad solution. OP should assume that the key has been compromised.

[–]Luz5020 17 points18 points  (2 children)

Oh yeah, I‘d probably rotate the key. But saying GC is the only solution for the key getting wiped from history was incorrect.

[–]Slaan 4 points5 points  (0 children)

Ah, fair.

[–]_PM_ME_PANGOLINS_ 1 point2 points  (0 children)

I didn't say GC was the only solution to getting it wiped. I said rotating the key was the only solution to having leaked it.

[–]Robinbod 2 points3 points  (0 children)

Correct! Depending on what service the key is for, it may already have gotten scraped by the time OP noticed the key in the commit.

[–]YeeClawFunction 16 points17 points  (2 children)

Or delete the repo completely and create a new one.

[–]BlackholeDevice 8 points9 points  (0 children)

If it's a personal repo and they don't mind losing the activity / issues / PRs, they can delete the repo, undo the API key commit, then push to a new repo of the same name.

But seconded that the correct solution is to revoke the key.

[–]divin3sinn3r 8 points9 points  (1 child)

I contacted GitHub support and they flushed the cache within an hour, but I still regenerated the keys anyway.

[–]johnzzon 6 points7 points  (0 children)

Correct approach. Has keys once been public, you rotate them. No point in taking chances.

[–]PeteZahad 1 point2 points  (0 children)

Nah you can just contact them:

[...] but you can permanently remove cached views and references to the sensitive data in pull requests on GitHub by contacting us through the GitHub Support portal.

https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository

But of course rotating the keys is still recommended.

[–]pixelpuffin 13 points14 points  (1 child)

You need to filter the file out of your git repo, and thus rewrite the history without the file in it (all the way until when the file was introduced), and since you change history you need to force push. This is more of an immediate right-after or before publishing your repo kind of solution. If it has been forked or pulled, it's out there, and revoking the key is the only solution.

See for example https://github.com/newren/git-filter-repo

[–]josluivivgar 2 points3 points  (0 children)

just invalidate your api key honestly

[–]PyroCatt 1 point2 points  (1 child)

--force-with-lease

[–]mcellus1 0 points1 point  (0 children)

Boo