I have a repository on Gitlab with some commits on one branch as follows
A - B - C - D - HEAD
I mistakenly uploaded some secret token string on commit B, and I noticed later on, so I created a new branch from A then copied manually all files from commit D so history now looks like this
/ - E - HEAD
A - B - C - D
Now what i did is to delete on Gitlab the branch BCD so those "token commits" are no longer accessible, and the history looks like
A - E - HEAD
However, I just noticed that I can still access the troublesome commits through Project -> Activity and seeing there my old pushes where the old commits are still accessible.
How can I completely delete those?
As you have noticed, GitLab holds onto git references in some circumstances, even if you delete those commits and force push over all your branches. Besides the activity page you mentioned, this will also include things like MR diffs, pipeline refs, and more.
This is also apparent when committing large files -- simply deleting the commits and force pushing won't reduce the project storage size!
To completely remove the contents from the GitLab project, you need to follow this guide for purging repository history. After you initiate the project cleanup by uploading the filter file, all the various commit references will be deleted and the contents are completely gone and inaccessible.
You may still see commit hashes and messages in the activity page, but the links will not show any of the contents of those commits because they have been deleted.
As noted in the docs:
This process is not suitable for removing sensitive data like password or keys from your repository. Information about commits, including file content, is cached in the database, and remain visible even after they have been removed from the repository.
So, as mentioned in this answer the first step you should take is to rotate your compromised credentials.
If it is important to you to completely remove even the commit messages and hashes in the activity page and database references, your only option would be to migrate/delete and re-create the project (after purging the git history). But this will also remove things like issues, merge requests, etc.