I am trying to purge credentials in a file on an Enterprise GitHub repository by following the BFG instructions on a GH article.
I had first used BFG to remove the credentials using a regular (non-mirror) clone for all branches, but realized that this did not purge some historical commits.
So I first tried to purge the mirror clone's commit history as advised by the BFG's documentation. It succeeded but I could not git push --force everything due to remote rejected error for several Pull Requests.
Following the repo admin's advice, we deleted the PRs that were causing the error.
But now BFG fails to correct the issue locally, saying BFG aborting: No refs to update - no dirty commits found??.
Yet, when I visit a commit blob URL(i.e. <github_repo_path>/blob/<commit_id>/<filepath>) on the same repo, it still shows the problematic credentials.
So what allows this commit to be viewable online despite being undetected by BFG?
It is not a local cache issue since it is viewable in Private Mode as well. I emailed GitHub Support to ask if it is a server-side cache but did not hear back yet.
How could I target a specific commit blob? Is there any alternative solution that uses BFG?
Related
I recently pushed a commit to GitHub that I shouldn't have, which could have contained sensitive information. Thankfully it didn't. I immediately deleted the file in question and quickly noticed that I and anyone with access to this repo can see the contents of the uploaded file if they click on the commit history and load diff. Is there any way to delete the contents of that commit so that it no longer shows up in my repository commit history?
GitHub documents the process quite clearly.
Basic steps:
Rebase your changes and remove the offending commit from your local history.
Force push the rebased changes to GitHub.
Contact support to have the offending commit purged from pull requests, caches and issues it might be linked to.
AWS informed me of leaked account info in a Github repo. It gave me link to the corresponding commit. That commit seems to only be visible if you have the direct sha. I am trying to identify all the other commits that could also contain leaks.
AWS gave the link: https://github.com/myorg/somerepo/commit/1abcdef and that gives me a very old commit with a banner
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
If I try git show 1abcdef on that repo, it's not found. It really cannot be found in git itself. In fact, there is nothing that old.
If I access the commit through the Github API, it is there:
gh api 'repos/myorg/somerepo/commits/1abcdef
I can see all information about it, including the date in 2017.
So I tried:
gh api 'repos/myorg/somerepo/commits?until=2017-12-31'
But that finds nothing. The Github API doesn't seem to mention anything to look at orphaned commits.
I have obviously rotated all credentials for the compromised (dev) account but how can I find other potential problematic commits? If I cannot find them, how could a hacker do it?
I want to push some changes to my own git LFS repository on GitHub, which is a fork of another project, but when I try to do that, I get an error
> git push origin develop-imb:develop-imb
LFS: Put "https://github-cloud.s3.amazonaws.com/alambic/media/somepath": Forbidden
LFS: Put "https://github-cloud.s3.amazonaws.com/alambic/media/someotherpath": Forbidden
error: failed to push some refs to 'https://github.com/nicolazilio/parkour-imb-mainz.git'
Does anybody have any clue as to what the problem is?
Even after a fork, LFS would be pushed to the original repo's assigned Content Delivery Network. You're not able to push LFS objects because there's a quota on the original public repo that would otherwise be vulnerable to abuse attacks. This is a safety measure on GitHub.com
The only "solutions" that I could think of are rather limited:
Use git lfs untrack, and try pushing these to your own fork without LFS. Optionally, you could install lfs on the fork, re-track them before pushing, and start using your own quota. This may be desirable on hard forks (e.g. not contributing back to upstream)
Ask to have write permission on the original public repo, if that's possible.
Ask the original public repo to stop using LFS.
See What is the workflow for Git LFS with forks? for another proposed answer. Even if they're speaking of Bitbucket, the same workflow would probably apply.
I have a project in GitHub and during the last years I have committed several changes to the project. In each commit I was adding a small text about the commit (e.g. fix problem with function A).
Is there a way to download all the commits that I have committed so far ?. I don't want to download the changes of the code of each commit, just only the text that I was writing.. Is this possible?
GitHub has an API for that.
https://api.github.com/repos/(username)/(repository)/commits
See REST API v3: Commits
List commits on a repository
GET /repos/:owner/:repo/commits
You can then just read all message keys in the commit objects
Edit:
If you try to do that on a private repository, you have to make an authentication first.
Basic example with curl:
curl -u username:password https://api.github.com/repos/username/repository/commits
More on that: Other Authentication Methods
Assuming you did the work from your local Git project, then GitHub does not have to be involved at all here. You can checkout the branch in question, fetch update it, and then use git log:
git checkout master # assuming contributions go to the master branch
git pull origin master
git log --author="yaylitzis" # replace 'yaylitzis' with your actual username
The pull is required because perhaps your local branch does not have all your commits for some reason.
I'm struggling with an issue connected to GitHub. I've committed some changes using GitBash console and got an info that the push was successful and there's nothing to commit. When I went into logs, there was this particular log looking like this:
The issue is that when I go back into my GitHub account, I can see just an initial commit in there, nothing more.
And the console clearly says that the commit was successful.
Please help!
Git is a distributed version control system, so you have one local copy of the repository, Github has another copy. As far as git is concerned every copy is equally important.
For your changes to exist in Github, you have to push them there, with something like:
git push origin master
Try git remote -v to get more information on your tracked repositories. Github has some great help pages on this stuff.
For what you say in your question, I think you don't have actually pulled your local repository in your GitHub account.
To do that, use git push origin master
When you use git commit your changes are saved in your local repository, not in your remote (that in this case is GitHub)
Thanks to all that helped me understand my issue. Turns out the files did not copy between folders properly and that's why there're not changes detected on git. Now everything is working.
Thanks again!