I have accidentally committed a password to a BitBucket git repository some time ago, several commits behind the current master. While I removed the password later by committing without it, it still exists in several past commits.
I don't mind losing the history of changes during those commits. I'm also not worried about somebody having seen the password during the time it was committed, but I want to delete this history to avoid problems in the future.
What steps to take to ensure that, after those steps, nobody who gets access to this BitBucket repository in the future can find this password?
Lets say I have the commits (from oldest to newest) with the (fake) SHA1s: c001 c002 c003 c004
c002 and c003 are hashes of "bad" commits that I want to delete entirely. I want master to stay on c004, but for c002 and c003 to no longer be accessible for anybody if I give them access to this repo. I tried following the instructions of similar questions on SO that offer to reset or rebase, but could not get them to work; I either manage to delete the commits on my machine but then cannot push back to BitBucket, or fail to delete on my machine altogether after messing something up.
Can somebody please explain the steps needed to: 1. eliminate c002 and c003 from the repository's history 2. make sure it's saved on BitBucket, and that people cannot view those commits neither in BitBucket's GUI, or by cloning the repo to their machine
I would appreciate an answer that explains what the commands do, and not just write some magic git commands that either work or don't work for me. Also, this question is specifically about BitBucket in case some things might be specific for it... I had trouble with "Updates were rejected because the tip of your current branch is behind" when trying to push changes back to BitBucket after making local repo changes with reset --hard. After several failed attempts and frustration with git's docs I decided to ask SO.
.
What I would do is:
git checkout revision-where-the-file-was-added
git rm the-file-with-the-password
git commit --amend --no-edit # fix the revision
git cherry-pick revision-where-the-file-was-added..the-branch # replay all later revision
# if you like the result
git branch -f the-branch
git push -f origin the-branch
git checkout the-branch
This assumes there's a single line of revisions after the file was added. If there are merges involved in later history, you might have to need to play with options in cherry-pick.