Oops… I just accidentally pushed a git commit containing code with a secret in plain text to a remote repo! Though it’s a private repository, I want to clean this mess up for security best practice. So, let’s fix it!
Here are the last two commits. The secret resides in one of the files from the “add argocd infra to git” commit.
$ git log -2
commit fe7b0510edc4fb160a16421352ba598e3f62703e (HEAD -> main, origin/main, origin/HEAD)
Author: kenno <kenno@example.com>
Date: Sat Dec 20 00:59:36 2025 +1100
add argocd infra to git
commit c5a75ae14cf3528db1fea7677e2bdb54167037cd
Author: kenno <kenno@example.com>
Date: Thu Dec 18 14:38:17 2025 +1100
add basic auth middleware to longhorn httproute
Since the commit had already been pushed to a remote repository, simply “undoing” the commit locally is not enough; it is required to overwrite the remote history.
- Perform a local reset:
$ git reset --soft HEAD~1
Fix the file: Remove the secret from the file and save it.
Commit the fix:
$ git add .
$ git commit -m "Remove accidental secret"
- Force push to the remote:
$ git push origin main --force
Verify:
$ git log -2
commit 5a64962f64df3546ad160395c248eb826ca13573 (HEAD -> main, origin/main, origin/HEAD)
Author: kenno <kenno@example.com>
Date: Sat Dec 20 01:17:08 2025 +1100
Remove accidental secret
commit c5a75ae14cf3528db1fea7677e2bdb54167037cd
Author: kenno <kenno@example.com>
Date: Thu Dec 18 14:38:17 2025 +1100
add basic auth middleware to longhorn httproute
Well, that did the trick. As mentioned earlier, since the commit was pushed to a private remote repo, I don’t feel the secret needs to be rotated in this case. However, if you do accidentally push a commit to a public repo, just assume that the secret has been seen, and you must rotate that secret straight away!