Today I accidentally pushed a commit containing an API key to github. It wasn’t an important API key, but could be. Reverting the commit will have no effect, as the API key is forever stored in git history. If you are willing to rewrite history there is a solution that is well documented by github.
It all boils down to this. Install BFG repo cleaner (you can use homebrew on a Mac
brew install bfg) and then add your sensitive data into a local text file:
api_key1 password1 secret_code2 etc
bfg --replace-text sensitive.txt.
After the tool is done running you will get a nice detailed output on what it found and changed and ask you to run
git reflog expire --expire=now --all && git gc --prune=now --aggressive
Finally the dangerous part of overwriting public history (if you already pushed the bad commit, otherwise you are fine).
git push -f