How to completely remove old commits from Gitlab?

Question

I have a repository on Gitlab with some commits on one branch as follows

A - B - C - D - HEAD

I mistakenly uploaded some secret token string on commit B, and I noticed later on, so I created a new branch from A then copied manually all files from commit D so history now looks like this

 /  - E - HEAD
A  - B  - C - D

Now what i did is to delete on Gitlab the branch BCD so those "token commits" are no longer accessible, and the history looks like

A - E - HEAD

However, I just noticed that I can still access the troublesome commits through Project -> Activity and seeing there my old pushes where the old commits are still accessible.

How can I completely delete those?

Answer 1

As you have noticed, GitLab holds onto git references in some circumstances, even if you delete those commits and force push over all your branches. Besides the activity page you mentioned, this will also include things like MR diffs, pipeline refs, and more.

This is also apparent when committing large files -- simply deleting the commits and force pushing won't reduce the project storage size!

To completely remove the contents from the GitLab project, you need to follow this guide for purging repository history. After you initiate the project cleanup by uploading the filter file, all the various commit references will be deleted and the contents are completely gone and inaccessible.

You may still see commit hashes and messages in the activity page, but the links will not show any of the contents of those commits because they have been deleted.

As noted in the docs:

This process is not suitable for removing sensitive data like password or keys from your repository. Information about commits, including file content, is cached in the database, and remain visible even after they have been removed from the repository.

So, as mentioned in this answer the first step you should take is to rotate your compromised credentials.

If it is important to you to completely remove even the commit messages and hashes in the activity page and database references, your only option would be to migrate/delete and re-create the project (after purging the git history). But this will also remove things like issues, merge requests, etc.

Answer 2

This GitLab entry seems to indicate that you can:

You can use Git to delete sensitive information from your past commits. However, history is modified in the process.

To rewrite history with certain filters, run git filter-branch.

To remove a file from the history altogether use:

git filter-branch --tree-filter 'rm filename' HEAD

The git filter-branch command might be slow on large repositories. Tools are available to execute Git commands more quickly. These tools are faster because they do not provide the same feature set as git filter-branch does, but focus on specific use cases.

For more information about purging files from the repository history and GitLab storage, see Reduce repository size.