1

So I forked a repo from a public repo, and accidentally pushed to my repo a file that contains my credentials to it. After deleting my forked repo on GitHub and credentials from provider as well, I forked it again and found that my pushed commit is still there on 'tree' branch on my newly forked repo (accessible by the link attached with provider notice email ). and it says that the original owner is collaborator, which is likely could have seen it. So for now I deleted that repo again.

Is there any way to delete that 'tree' branch which contains my API key and fork it fresh with no history? or it is enough to just disable API key? (but can't fork that repo anymore.) Thank you.

Improve this question
6
  • 1
    I think you should get help from Github support. Commented Mar 30, 2020 at 10:36
  • 1
    Does this answer your question? Remove sensitive files and their commits from Git history Commented Mar 30, 2020 at 11:37
  • stackoverflow.com/search?q=%5Bgithub%5D+remove+sensitive+file Commented Mar 30, 2020 at 11:37
  • Especially this answer: stackoverflow.com/a/32840254/7976758 Commented Mar 30, 2020 at 11:37
  • I just tried using filter-branch as suggested, and while on my master branch the file has gone, those credentials still accessible by link (<repo-url/blob/hash/file>). seems like solution you proposed only applicable on self-owned repo, not from other owner and I have forked it like this case. Commented Mar 30, 2020 at 12:08

1 Answer 1

Reset to default
2

You need to assume that your credentials are public and revoke them. At this point, anyone could have found them.

The reason you're seeing this is because GitHub shares objects across repositories in a network. When you create a repository, all of the objects of the original repository and all the forks are shared in one location. Therefore, deleting your repository doesn't help, because those objects will reappear.

You can contact GitHub Support after reading the documentation on this, but as the documentation says, you have to assume your credentials are public now. If you don't care that the credentials are public because you've revoked them, then there's nothing to do and you can go on merrily about your life.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

it is because I don't have my fork anymore, it is 404 not found when I followed the link but not when I have the forked repo. will it won't be found if I made it private? but do the original repo owner still could see it?
@itonia.x.i It doesn't matter whether anyone else can see them now. Remember that someone—anyone—could see them, if only for just one minute or so, the moment after you pushed the commit you should not have pushed. Suppose that someone, somewhere, did see the credentials and copied them and now has them available on a black-hat site. Removing the GitHub copy won't affect the black-hat site's copy.
The data is still there and still visible, even if you've deleted your fork, because GitHub does not usually garbage-collect data. You must revoke those credentials and assume they're compromised, since anyone could have seen them or could still.
alright, just to make sure anyone can't use those credentials, I have revoked it. then I could sleep well tonight and after. thank you.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.