Easily nuke secrets from your Git history
I came across an excellent article from Don Goodman-Wilson on GitGuardian on Rewriting your git history, removing files permanently – cheatsheet & guide. I had a scenario where I wanted to remove a secret deep in my history. In his article, he speaks about the git extension tool git-filter-repo. Eager as I am, I’m like yes lets use it! However, I realize that for starters, the install steps, if you’re working on a Windows machine, may not be as straight forward as download/install.
For the ones like me that want a quick cheatsheet on how to make it work on Windows, here’s a quick summary. Thanks to the GitHub issues in the repo that helped me put this together.
Setup
- Install Python3
- Download the git-filter-repo extension.
- Edit the file you just downloaded and change the first line :#!/usr/bin/env python3 to :#!/usr/bin/env C:\Users\<user>\AppData\Local\Programs\Python\<pythonVersion>\python
Replace <user> and <pythonVersion> with the proper versions. This is the path to python.exe.
In my case it was C:\Users\dominique\AppData\Local\Programs\Python\Python39\python - Move the file into your git exec-path. This path can be found by doing git --exec-path in a command line.
- Clone a fresh repo of your code.
- Create a file that will be used to do replacements, somewhere outside your repo path, i.e. C:\path\to\replacements.txt
- In the replacements.txt file, add the replacements you want, i.e. 123abc==>ENV[‘AUTH_TOKEN’]. If you don’t put anything, to replace, i.e. you only put 123abc, it will replace all 123abc with **REDACTED**
- Run the command git filter-repo --replace-text C:\path\to\replacements.txt --force in your freshly cloned repo
Notes
Be aware that this rewrites your history, so you will need to coordinate with everyone using your repository, for them to synchronize themselves with you. Otherwise, you may come across other unexpected problems.