This highlights why it's so important that any secret that gets committed <i>must</i> be rotated. Simply removing it from the git history isn't enough, because it can still linger, it's just harder to find.
You don’t even need the pushes API to see commits that were force pushed away. You can get the head of any branch at a given time using `gitrevisions` [1] syntax any place that you would normally put a branch or commit.<p>e.g to see the state of the cpython main branch on January 1 we can ask for `main@{2024-01-01}`:<p><a href="https://github.com/python/cpython/tree/main@{2024-01-01}">https://github.com/python/cpython/tree/main@{2024-01-01}</a><p>This does not walk the commit history, but instead the server-side reflog, so it’s immune to force pushing and can only be avoided by GC of the reflog or repo. Definitely contact GH support if you pushed something you shouldn’t have.<p>[1] <a href="https://git-scm.com/docs/gitrevisions" rel="nofollow">https://git-scm.com/docs/gitrevisions</a>
If you've inadvertently committed, say, copyrighted material to GitHub, and want to fully erase it, is there a way? Other than contacting GitHub as this article mentions.<p>Even if you contact them, GitHub says[1] that they will not remove "non-sensitive data", but makes no reference to copyrighted material.<p>[1] <a href="https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository#fully-removing-the-data-from-github" rel="nofollow">https://docs.github.com/en/authentication/keeping-your-accou...</a>