Can't remove ghost branch github/BLOB

Question

My email provider identified an exposed API key and created a branch from my github repo:

I removed my config.js file from my repo and from what github says I only have one branch.

The file still exists because they sent me a link to that specific file and that's where that branch with that file show.

I've tried switching branches, creating a new branch named just like it but nothing. How can I remove that file or the entire branch?

Answer 1

The link your provider sent you is probably to a specific commit. Even if that commit has been rebased out of your history and you've force-pushed, GitHub doesn't normally prune old commits, so they'll still be accessible.

You must assume that any secrets you've pushed to a public repo are compromised. You should revoke that API key and generate a new one, in which case whether GitHub persists the commit doesn't matter. This is the standard security best practice for this case.

If you really need it removed from the history, GitHub has a document that describes the procedure for doing that.