How to completely remove a commit from gitlab?

Question

I made a commit in my git repo and pushed it, but accidentally it contained some passwords for our production machines. So I deleted the commit:

git reset --hard HEAD~1
git push --force

That indeed removed the commit from the list of commits, but the url to the commit on gitlab still shows the source of the commit.

I'm not sure whether this is git which still saves the contents of the commit on the gitlab servers, or the gitlab databases which somehow store the contents of the commit, but I really need to completely remove that commit from the gitlab servers.

Does anybody know a way to completely remove a commit and it's contents from gitlab?

Answer 1

As you may have noticed, even if you rewrite your git history and force-push the change to the repository, the removed commits will still be present in several places in GitLab. You'll notice, for example, merge requests that reference deleted commits still show the content of references in the MR. GitLab holds onto refs and their content in several places that can't be directly pushed over (protected refs not advertised by the git server) including refs/merge-requests/*, refs/pipelines/*, refs/environments/* and refs/keep-around/*.

To remove such references, you need to follow the purge files from repository history procedure in order to completely remove the content of these references from GitLab. This process is intended for helping reduce repository size, but works for your use case as well.

As mentioned in the comments, the appropriate action to take when a secret is accidentally committed is to rotate the secret. Removing it from your history doesn't necessarily stop someone who already has the secret from using it.