I’m Luigi Teschio, a developer living in Naples. I work at Automattic, where I contribute to open source projects and the web ecosystem. I’m passionate about creativity, technology, and productivity, and I write about these topics on my personal website.

GitHub Repository Activity View shows removed commits

While working on the omnivore-newsletter project, when my project was still private, I pushed my Omnivore API. Before making the project public, I rewrite the commit history to delete the key: as expected, the /commits/main no longer shows the commit. After a few hours, I was digging into some stats about my new project, and I landed on the activities page (/{repo}/activity): with surprise (and a little nervousness), I found ALL the commits available (even the ones that I removed with the force-push). This meant that my private key was public and available to anyone 😱.

After changing the key, I searched, and it seems that it is a common issue:

Luckily, I contacted customer support, and they fixed the problem quickly.

I was a lucky man, but I would prefer more transparency about this feature and maybe the possibility of disabling it: how many GitHub users know about this feature and this issue? Pay attention and ensure that your repo activities pages are clean!

Discover more from Luigi Teschio

Subscribe now to keep reading and get access to the full archive.

Continue reading