The Problem: Push Rejected
You were working on a feature in a branch. After making a series of commits, you tried to push your branch to the organization’s remote repository, but GitHub refused the push due to its Push Protection feature.
Push protection is a secret scanning feature that proactively scans your code for secrets during the push process and blocks the push if any are detected.
The error message looked something like this:
$ git push --set-upstream origin JIRA-1234-feat-receive-amex
remote: error: GH013: Repository rule violations found for refs/heads/JIRA-1234-feat-receive-amex
...
remote: ===== GITHUB PUSH PROTECTION =====
...
remote: - Push cannot contain secrets
...
remote: locations:
remote: - commit: 123458821aeda4cb54e3d4595136c54eba8af701
remote: path: src/config/.sample_env
remote:
...To resolve this, we need to edit that specific commit to remove the secret.
Understanding the Branch State
Let's assume the state of your branch is as follows. The offending
commit is E (1234588).
A — B — C <- main
|
D — E — F — G <- JIRA-1234-feat-receive-amex (HEAD)Our goal is to modify commit E without affecting the other commits (D, F, G).
The Solution: Interactive Rebase
The most effective tool for this job is
git rebase -i (interactive rebase).
Step 1: Start the Interactive Rebase
First, ensure you are on the correct branch.
$ git checkout JIRA-1234-feat-receive-amex
Next, we will start an interactive rebase. We need to tell Git which
commits to "replay." We want to edit commit E, so
we need to rebase from its parent, which is D. The
parent of a commit can be referenced with the ^ symbol
(e.g., E^).
Run the rebase command using the full hash of the problematic
commit, followed by ^.
$ git rebase -i 123458821aeda4cb54e3d4595136c54eba8af701^Step 2: Mark the Commit for Editing
Your default text editor will open with a list of commits that are
part of the rebase (E, F, and G). By default, they are all marked
with pick.
pick 1234588 An offending commit with a secret
pick 6b84a3e A subsequent feature commit
pick 2c7a5f9 Another feature commit
# Rebase 2d3f1a9..2c7a5f9 onto 2d3f1a9 (3 commands)
# ...
Change the word pick to edit (or just
e) next to the commit you need to fix
(1234588). Then, save and close the editor.
edit 1234588 An offending commit with a secret
pick 6b84a3e A subsequent feature commit
pick 2c7a5f9 Another feature commitGit will now pause the rebase at this specific commit, allowing you to make changes.
Step 3: Remove the Secret
The rebase is now paused. You can open the file
src/config/.sample_env and remove the secret string.
Once you've removed it, you need to stage the change.
Using git add -p is a good practice to review your
changes before staging them.
$ git add -p src/config/.sample_envStep 4: Amend the Commit
After staging the removal of the secret, you need to amend the current commit. This command updates the last commit with your newly staged changes.
$ git commit --amend
Your editor will open again with the original commit message. You
can leave it as is, or modify it if needed. Save and close the
editor. You can confirm that your working directory is clean with
git status.
Step 5: Continue the Rebase
Now that you've fixed the commit, tell Git to continue replaying the rest of the commits (F and G).
$ git rebase --continueIf there are no conflicts, you will see a success message:
Successfully rebased and updated refs/heads/JIRA-1234-feat-receive-amex.Step 6: Push Your Changes
Your branch history has been rewritten, and the secret is gone. You can now push your branch. Since the history has changed, you may need to force-push.
$ git push