A place for developers to talk about building on Farcaster.

/dev

Suppose u have accidentally pushed a `.env` file into ur repo. You immediately hit `git reset --hard HEAD^ && git push origin -f`. Now u feel safe again. WRONG! GitHub DOES NOT DELETE FORCED-PUSHED COMMITS! All dangling commits can be retrieved via GH's API endpoint `PushEvents`.

To be clear, before posting the screenshot above, I verified that none of the dangling commits pose any security risk. You can read more about it here: https://neodyme.io/en/blog/github_secrets. And the repo is here: https://github.com/neodyme-labs/github-secrets.

𝐖𝐨𝐫𝐤𝐢𝐧𝐠 𝐨𝐧 𝐰𝐡𝐚𝐭'𝐬 𝐧𝐞𝐱𝐭.

https://github.com/pcaversaccio

Furthermore, this is also the case if you change your repository setting from private to public. The events endpoint still lists all `PushEvents` even from the time it was private and the hash of any incorrect commit can still be seen there.