• Blog
  • Research
  • Un-committing a Password in GitHub

    19 October, 2018 | General Hackery

    Yep, I did it. I foolishly committed a password into a git repository and pushed it to Github.

    Thankfully it was an app-specific password that could be easily changed without messing anything up (good advice: use app-specific passwords where you can!) but I still didn't want the commit in Github. Again, thankfully, I hadn't made any other changes before I realised what I'd done, as there is a simple way to delete the last commit from a Git repo, and push it to Github.

    git rebase -i HEAD~2

    When the editor pops up, delete the second line. This indicates we want to keep the previous version. Save, then exit. This will sort out your local repo. But the password is still on Github and you won't be able to push because your local copy of the repo is now behind the remote. So do this:

    git push origin +master

    This is what usually happens when you just type git push, but the + symbol is a 'force' indicator. It will force the remote repo to accept your changes and ignore its own history. You won't get any conflict errors.

    Word of warning: this is a really bad thing to do if the repo is collaborative, as someone may have pulled before you can do this. However, if someone else has pulled before you can remove the committed password, you've probably got bigger problems!