技術筆記-當你不小心把「秘密」發佈到 git，要如何「清乾淨」？

更新於 2024/12/10發佈於 2024/12/10閱讀時間約 8 分鐘

如題，這應該是很容易犯的錯誤，據說 git 能使時光倒流！它就是這麼厲害，所以光是刪除檔案重新 commit 是沒用的，必須執行以下步驟：

(都是 chatGPT 教的，所以本文無創新價值，單純筆記增加熟練度)

# 1. 將檔案移出納管範圍，但注意加 --cached 就不會實體刪除檔案
git rm --cached gui/MySecretFile.pfx
------------------------------------
[main 3612398] remove cert file
 1 file changed, 0 insertions(+), 0 deletions(-)
 delete mode 100644 gui/MySecretFile.pfx
------------------------------------

# 2. commit 到 local repository
git commit -m "remove cert file"
------------------------------------
Enumerating objects: 5, done.
Counting objects: 100% (5/5), done.
Delta compression using up to 8 threads
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 287 bytes | 287.00 KiB/s, done.
Total 3 (delta 2), reused 0 (delta 0), pack-reused 0
remote: Resolving deltas: 100% (2/2), completed with 2 local objects.
To https://github.com/newmanchurch/newman-console.git
   2a9e44c..3612398  main -> main
---------------------------------
   
# 3. 同步到雲端   
git push origin --force
-----------------------
Enumerating objects: 5, done.
Counting objects: 100% (5/5), done.
Delta compression using up to 8 threads
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 287 bytes | 287.00 KiB/s, done.
Total 3 (delta 2), reused 0 (delta 0), pack-reused 0
remote: Resolving deltas: 100% (2/2), completed with 2 local objects.
To https://github.com/newmanchurch/newman-console.git
   2a9e44c..3612398  main -> main
---------------------------------


# 4. 「清洗」所有歷史紀錄，指令長到爆炸
git filter-branch --force --index-filter \
"git rm --cached --ignore-unmatch gui/MySecretFile.pfx" \
--prune-empty --tag-name-filter cat -- --all
--------------------------------------------
Proceeding with filter-branch...

Rewrite 807cc8429eb6b68cf0aa63724080c4d362d4a170 (1/34) (0 seconds passed, remaining 0 predicted)    rm 'gui/MySecretFile.pfx'
Rewrite bc433e86e272578c895c226c9d0e87a7a6b26a28 (2/34) (0 seconds passed, remaining 0 predicted)    rm 'gui/MySecretFile.pfx'
Rewrite 6e1b5c278e171ecd87bf746da7bac9cb42102406 (3/34) (0 seconds passed, remaining 0 predicted)    rm 'gui/MySecretFile.pfx'
Rewrite bcb38916c62bbc9a6d9f50870bc0c00dc8485d6d (4/34) (0 seconds passed, remaining 0 predicted)    rm 'gui/MySecretFile.pfx'
...
Ref 'refs/heads/main' was rewritten
Ref 'refs/remotes/origin/main' was rewritten
--------------------------------------------

# 4.1 據說安裝一個 python 套件後，可以讓指令大幅精簡，但我沒試過：
pip install git-filter-repo
git filter-repo --path gui/MySecretFile.pfx --invert-paths


# 5. 同步到雲端
git push origin --force
-----------------------
Enumerating objects: 219, done.
Counting objects: 100% (219/219), done.
Delta compression using up to 8 threads
Compressing objects: 100% (213/213), done.
Writing objects: 100% (219/219), 54.02 KiB | 4.50 MiB/s, done.
Total 219 (delta 151), reused 0 (delta 0), pack-reused 0
remote: Resolving deltas: 100% (151/151), done.
To https://github.com/newmanchurch/newman-console.git
 + f921b1b...07c383c main -> main (forced update)
-------------------------------------------------

到雲端網站檢查，成功清的乾乾淨淨，收工。

Newman 2024/12/10

導覽頁：紐曼的技術筆記-索引

後記：

順便筆記一些常用指令：

# 當本地端檔案改到亂掉了，就整個放棄修改，恢復到上一的 commit
git restore --source=HEAD --staged --worktree .

# 徹底放棄本地端的 repository，完全用雲端的版本來取代
# 使用時機就如本文狀況，遠端的所有歷史版本都經過清洗了，client 就不用一一清洗，直接取代
git fetch --all
git reset --hard origin/main
git pull