2

I am using bfg-cleaner to delete some files from github containing senstive information. it works fine except for pull requests. the sensitive date still exists in pull requests . How can I get rid of this?

user2636464
  • 685
  • 7
  • 17
  • Did you manage to make it work? – VonC Sep 29 '20 at 08:02
  • as discussed with you, I have requested for deletion of pull requests. However, its not clear what happens in case of on-premise github environment we use github enterprise. – user2636464 Sep 30 '20 at 09:08

1 Answers1

2

First, You can consider the new git filter-repo, which will replace the old git filter-branch or BFG.

It has many usage examples, including path-based filtering:

To keep all files except these paths, just add --invert-paths:

git filter-repo --path aFileToRemove --invert-paths

Second, regarding pull-requests, you would need to fetch them first

[remote "origin"]
    fetch = +refs/heads/*:refs/remotes/origin/*
    url = git@github.com:joyent/node.git
    fetch = +refs/pull/*/head:refs/remotes/origin/pr/*  <====

# Now fetch all the pull requests:

$ git fetch origin
From github.com:joyent/node
 * [new ref]         refs/pull/1000/head -> origin/pr/1000
 * [new ref]         refs/pull/1002/head -> origin/pr/1002

Then, after filtering, you will need to force push everything back.

As torek notes in the comments:

In this case, if someone is rewriting a repository to delete sensitive data, and someone else has made a PR, the sensitive data might be in the someone-else's repository.

So purging PR branches might not be enough anyway. Any fork (from which a PR was made) would still have the sensitive data anyway.

If there are no forks and the PR are done using local branches (to the repository), then you don't need to fetch any refs/pull.
Modifying the source branch of a PR and force pushing it should be enough to change the Pull Request (although, its page might still reference the previous commits which are now obsolete).

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • I don't think you can push to a GitHub `refs/pull/` ref. (I think I tried it a while back and they said no, regardless of who "owned" it.) – torek Sep 25 '20 at 07:03
  • @torek Doesn't the documentation shows that you can push a local branch back (from a fetch `pull/ID/head:BRANCHNAME`) to a remote PR branch? (https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/checking-out-pull-requests-locally) – VonC Sep 25 '20 at 07:08
  • You can `git push` to `refs/heads/xxx` and if `refs/heads/xxx` in the push-target repository is the source of `refs/pull/n/head` in the PR-repository, `refs/pull/n/head` will be updated in the PR-repository. But you can't push to `refs/pull/n/head` at all. In this case, if someone is rewriting a repository to delete sensitive data, and someone *else* has made a PR, the sensitive data might be in the someone-else's repository... – torek Sep 25 '20 at 07:12
  • @torek I agree and have included your comment about sensitive data in the answer for more visibility. – VonC Sep 25 '20 at 07:15
  • do you mean bfg is not a good idea? also, I see it has already pushed except for the pull requests . so, what I can do to push the pull requests now? – user2636464 Sep 25 '20 at 07:33
  • @user2636464 No, bfg is not a good idea, for reasons highlighted in https://github.com/newren/git-filter-repo#bfg-repo-cleaner – VonC Sep 25 '20 at 07:35
  • @user2636464 You need to fetch the PR branches, reapply your filter, and push them back. – VonC Sep 25 '20 at 07:36
  • so, i fetched the PR branches and did bfg clean command again and push. its the same error ! [remote rejected] refs/pull/1/head -> refs/pull/1/head (deny updating a hidden ref) – user2636464 Sep 25 '20 at 07:40
  • @user2636464 Yes, that is what torek alluded to above. you cannot modify a PR branch (which comes possibly from another repo). – VonC Sep 25 '20 at 07:42
  • Its same repo. there are no forks here. – user2636464 Sep 25 '20 at 07:43
  • Then you need to modify the branch which is the source of the PR, so no need to fetch `refs/pull`: simply modifying the source branch and force pushing it should be enough to modify the PR. – VonC Sep 25 '20 at 07:44
  • what do you mean modifying the source branch? I cannot find this file in source branch. But I can see the changes made to the deleted file via pull requests in github – user2636464 Sep 25 '20 at 07:48
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/222058/discussion-between-vonc-and-user2636464). – VonC Sep 25 '20 at 07:55
  • If I read this, and the chat correctly, preserving PGs only works for PRs from local branches and there is no mechanism to preserve PR history from forks? – Bruce Edge Aug 04 '22 at 15:36
  • @BruceEdge Indeed. Fork PR branches would need to be fetched first and imported as local branches if their history needs to be preserved. – VonC Aug 04 '22 at 15:45