While working on the omnivore-newsletter project, when my project was still private, I pushed my Omnivore API. Before making the project public, I rewrite the commit history to delete the key: as expected, the /commits/main no longer shows the commit. After a few hours, I was digging into some stats about my new project, and I landed on the activities page (/{repo}/activity): with surprise (and a little nervousness), I found ALL the commits available (even the ones that I removed with the force-push). This meant that my private key was public and available to anyone 😱.

After changing the key, I searched, and it seems that it is a common issue:

Luckily, I contacted customer support, and they fixed the problem quickly.

I was a lucky man, but I would prefer more transparency about this feature and maybe the possibility of disabling it: how many GitHub users know about this feature and this issue? Pay attention and ensure that your repo activities pages are clean!