Skip to content

Commit

Permalink
Initial commit
Browse files Browse the repository at this point in the history
  • Loading branch information
@mitko125
mitko125 authored Oct 30, 2024
0 parents commit fec20c4
Show file tree
Hide file tree
Showing 14 changed files with 567 additions and 0 deletions.
6 changes: 6 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "monthly"
1 change: 1 addition & 0 deletions .github/steps/-step.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
0
1 change: 1 addition & 0 deletions .github/steps/0-welcome.md
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
<!-- readme -->
40 changes: 40 additions & 0 deletions .github/steps/1-removing-sensitive-data.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
<!--
<<< Author notes: Step 1 >>>
Choose 3-5 steps for your course.
The first step is always the hardest, so pick something easy!
Link to docs.github.com for further explanations.
Encourage users to open new tabs for steps!
-->

## Step 1: Removing sensitive data

_Welcome to "Change commit history"! :wave:_

We'll start by working with `.env` files. These files usually contain sensitive content. For this course, we'll work on removing that file and all traces in the Git history. The first step is to remove the file from repository. We'll alter the history later.

We'll assume you're using the command line, but you can complete the course using your preferred tooling.

**What is _sensitive content_?** Sensitive content is anything that is checked into your repository history that may put you or your organization at risk. This content usually comes in the form of credentials (i.e., passwords, access keys). The best practice for accidentally exposed sensitive content is to invalidate it (i.e., revoke a personal access token), completely remove it from all repository copies, and take measures to prevent future exposure.

See [Deleting a file on GitHub Docs](https://docs.github.com/en/repositories/working-with-files/managing-files/deleting-files-in-a-repository#deleting-a-file) if you need additional help removing a file.

### :keyboard: Activity: Remove `.env` in the project root directory

1. Open your terminal of choice, clone this repository, and switch to your repository directory.
```shell
git clone <your-repository-url>
cd <your-repository-name>
```
2. Delete `.env` from the root directory.
```shell
git rm .env
```
3. Commit the removal of `.env`.
```shell
git commit -m "remove .env file"
```
4. Push the removal to GitHub:
```shell
git push
```
5. Wait about 20 seconds then refresh this page (the one you're following instructions from). [GitHub Actions](https://docs.github.com/en/actions) will automatically update to the next step.
47 changes: 47 additions & 0 deletions .github/steps/2-removing-with-bfg.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
<!--
<<< Author notes: Step 2 >>>
Start this step by acknowledging the previous step.
Define terms and link to docs.github.com.
-->

## Step 2: Removing a file from Git history using BFG Repo-Cleaner

_You removed `.env` from the repository's root directory! :tada:_

Now that we've deleted the file, people that browse the repository on GitHub.com or anyone looking at just the head commit won't see the file. However, due to Git's nature, the file is still present in the history. In this step, we'll work on removing the file from the repository history.

**What is a _head commit_**? In Git, HEAD points to a branch or a commit. When we say [head commit](https://docs.github.com/en/get-started/quickstart/github-glossary#head), we usually mean the most recent commit in the repository's history.

There are multiple tools available for removing Git history, we'll use BFG Repo-Cleaner in this step. You can find additional documentation on [Using the BFG in GitHub Docs](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository#using-the-bfg).

**What is _BFG Repo-Cleaner_**? BFG Repo-Cleaner is software that can help you search through and alter repository history. Git can natively do this using [`git filter-repo`](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository#using-git-filter-repo), but it can be more complex.

### :keyboard: Activity: Use BFG Repo-Cleaner to remove the `.env` file

1. Update the local copy of your repository to ensure you have the most recent version of the course files.
```shell
git pull
```
2. Install BFG Repo-Cleaner on your machine. You can follow the [instructions on the web site](https://rtyley.github.io/bfg-repo-cleaner/) to do so or you can use a package manager for your operating system.
3. Confirm the `.env` file is removed from the root directory. The command should return empty.
```shell
find . -name ".env"
```
4. Search for .env in the repository's history. The command should return at least 2 commits: the addition of `.env` when you copied this template repository, and the removal of `.env`.
```shell
git log --stat --all -- .env
```
5. Use BFG Repo-Cleaner to delete all references to `.env` that exist in the repository.
```shell
bfg --delete-files .env
```
6. The tool will run and make some suggestions about some follow-up commands. Run those to get your local repository cleaned up.
7. Repeat the search for `.env` in the repository's history. This time, the command should return empty.
```shell
git log --stat --all -- .env
```
8. Push your changes to GitHub. Note we're using the `--force` argument in this step since we're altering Git history.
```shell
git push --force
```
9. Wait about 20 seconds then refresh this page (the one you're following instructions from). [GitHub Actions](https://docs.github.com/en/actions) will automatically update to the next step.
36 changes: 36 additions & 0 deletions .github/steps/3-avoiding-future-commits.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
<!--
<<< Author notes: Step 3 >>>
Start this step by acknowledging the previous step.
Define terms and link to docs.github.com.
-->

## Step 3: Avoiding future commits with `.env`

_Nice work removing the file from entire history of the repository! :sparkles:_

The steps we've taken so far ensure that any _new_ clones of the repository don't contain the sensitive data. But what about collaborators that may already have a copy of the repository? You should ask anyone with a copy of the repository to delete it and clone the repository fresh. In a real-life scenario, you'd also take [additional steps](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository#fully-removing-the-data-from-github) to ensure no sensitive data is cached on GitHub.com.

Now that we've mitigated the risk of exposing sensitive content, we'll be proactive and prevent its addition.

We'll now configure Git so it ignores a future addition of sensitive content by adding `.env` to `.gitignore`. If someone should that file to the local copy of their repository, it will remain only on the contributor's machine and won't be pushed to GitHub.

**What is `.gitignore`?** This special file allows us to tell Git naming patterns to ignore. You can read more about it in [Ignoring files on GitHub Docs](https://docs.github.com/en/get-started/getting-started-with-git/ignoring-files).

### :keyboard: Activity: Add `.env` to `.gitignore`

1. Update the local copy of your repository to ensure you have the most recent version of the course files.
```shell
git pull
```
2. Locate the file we added to the repository titled `.gitignore`.
3. Add `.env` to the file.
4. Stage, commit the file:
```shell
git add .gitignore
git commit -m "ignore .env files"
```
5. Push the file to GitHub.com
```shell
git push
```
6. Wait about 20 seconds then refresh this page (the one you're following instructions from). [GitHub Actions](https://docs.github.com/en/actions) will automatically update to the next step.
25 changes: 25 additions & 0 deletions .github/steps/X-finish.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
<!--
<<< Author notes: Finish >>>
Review what we learned, ask for feedback, provide next steps.
-->

## Finish

_Congratulations friend, you've completed this course!_

<img src="https://octodex.github.com/images/dinotocat.png" alt=celebrate width=300 align=right>

Here's a recap of all the tasks you've accomplished in your repository:

- Removed a file from the head commit of the repository
- Used BFG Repo-Cleaner to removed a file from all Git history in the repository
- Avoided accidental commits by telling Git to ignore a specific file name

### What's next?

- The Docs on [Removing sensitive data](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository) are comprehensive and recommended reading after this course.
- Try your hand at some of the other features listed in the [BFG Repo-Cleaner documentation](https://rtyley.github.io/bfg-repo-cleaner/).
- [We'd love to hear what you thought of this course](https://github.com/orgs/skills/discussions/categories/change-commit-history).
- [Take another GitHub Skills course](https://github.com/skills).
- [Read the GitHub Getting Started docs](https://docs.github.com/en/get-started).
- To find projects to contribute to, check out [GitHub Explore](https://github.com/explore).
72 changes: 72 additions & 0 deletions .github/workflows/0-welcome.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
name: Step 0, Welcome

# This step triggers after the learner creates a new repository from the template.
# This workflow updates from step 0 to step 1.

# This will run every time we create push a commit to `main`.
# Reference: https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows
on:
workflow_dispatch:
push:
branches:
- main

# Reference: https://docs.github.com/en/actions/security-guides/automatic-token-authentication
permissions:
# Need `contents: read` to checkout the repository.
# Need `contents: write` to update the step metadata.
contents: write

jobs:
# Get the current step to only run the main job when the learner is on the same step.
get_current_step:
name: Check current step number
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- id: get_step
run: |
echo "current_step=$(cat ./.github/steps/-step.txt)" >> $GITHUB_OUTPUT
outputs:
current_step: ${{ steps.get_step.outputs.current_step }}

on_start:
name: On start
needs: get_current_step

# We will only run this action when:
# 1. This repository isn't the template repository.
# 2. The step is currently 0.
# Reference: https://docs.github.com/en/actions/learn-github-actions/contexts
# Reference: https://docs.github.com/en/actions/learn-github-actions/expressions
if: >-
${{ !github.event.repository.is_template
&& needs.get_current_step.outputs.current_step == 0 }}
# We'll run Ubuntu for performance instead of Mac or Windows.
runs-on: ubuntu-latest

steps:
# We'll need to check out the repository so that we can edit the README.
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0 # Let's get all the branches.

- name: Create a commit with a .env file
run: |
git config --global user.email "github-actions[bot]@users.noreply.github.com"
git config --global user.name "github-actions[bot]"
echo "SOME_SECURE_TOKEN=abc123" >> .env
git add .env
git commit -m "Add .env file"
git push
# In README.md, switch step 0 for step 1.
- name: Update to step 1
uses: skills/action-update-step@v2
with:
token: ${{ secrets.GITHUB_TOKEN }}
from_step: 0
to_step: 1
74 changes: 74 additions & 0 deletions .github/workflows/1-removing-sensitive-data.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
name: Step 1, Removing sensitive data

# This workflow updates from step 1 to step 2.

# This will run every time we push a `.env` file.
# Reference: https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows
on:
workflow_dispatch:
# Add events that trigger this workflow.
push:
paths:
- .env

# Reference: https://docs.github.com/en/actions/security-guides/automatic-token-authentication
permissions:
# Need `contents: read` to checkout the repository.
# Need `contents: write` to update the step metadata.
contents: write

jobs:
# Get the current step to only run the main job when the learner is on the same step.
get_current_step:
name: Check current step number
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- id: get_step
run: |
echo "current_step=$(cat ./.github/steps/-step.txt)" >> $GITHUB_OUTPUT
outputs:
current_step: ${{ steps.get_step.outputs.current_step }}

on_push-dotenv-file:
name: On push of .env file
needs: get_current_step

# We will only run this action when:
# 1. This repository isn't the template repository.
# 2. The step is currently 1.
# Reference: https://docs.github.com/en/actions/learn-github-actions/contexts
# Reference: https://docs.github.com/en/actions/learn-github-actions/expressions
if: >-
${{ !github.event.repository.is_template
&& needs.get_current_step.outputs.current_step == 1 }}
# We'll run Ubuntu for performance instead of Mac or Windows.
runs-on: ubuntu-latest

steps:
# We'll need to check out the repository so that we can edit the README.
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0 # Let's get all the branches.

# Logic for step 1
- name: Ensure .env is gone from the root directory
run: |
if [ -f .env ]; then
echo "The .env file still exists in the root directory, please remove it."
exit 1
else
echo "Great! The .env is no longer in the root directory."
exit 0
fi
# In README.md, switch step 1 for step 2.
- name: Update to step 2
uses: skills/action-update-step@v2
with:
token: ${{ secrets.GITHUB_TOKEN }}
from_step: 1
to_step: 2
72 changes: 72 additions & 0 deletions .github/workflows/2-removing-with-bfg.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
name: Step 2, Removing a file with BFG Repo-Cleaner

# This workflow updates from step 2 to step 3.

# This will run every time we push to the repository.
# Reference: https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows
on:
workflow_dispatch:
# Add events that trigger this workflow.
push:

# Reference: https://docs.github.com/en/actions/security-guides/automatic-token-authentication
permissions:
# Need `contents: read` to checkout the repository.
# Need `contents: write` to update the step metadata.
contents: write

jobs:
# Get the current step to only run the main job when the learner is on the same step.
get_current_step:
name: Check current step number
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- id: get_step
run: |
echo "current_step=$(cat ./.github/steps/-step.txt)" >> $GITHUB_OUTPUT
outputs:
current_step: ${{ steps.get_step.outputs.current_step }}

on_push:
name: On push
needs: get_current_step

# We will only run this action when:
# 1. This repository isn't the template repository.
# 2. The step is currently 2.
# Reference: https://docs.github.com/en/actions/learn-github-actions/contexts
# Reference: https://docs.github.com/en/actions/learn-github-actions/expressions
if: >-
${{ !github.event.repository.is_template
&& needs.get_current_step.outputs.current_step == 2 }}
# We'll run Ubuntu for performance instead of Mac or Windows.
runs-on: ubuntu-latest

steps:
# We'll need to check out the repository so that we can edit the README.
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0 # Let's get all the branches.

# Logic for step 2
- name: Ensure .env is gone from history
run: |
if [ -n "$(git log --stat --all -- .env)" ]; then
echo "File .env is still in the repository's history, please remove it."
exit 1
else
echo "File .env doesn't exist in the repository's history."
exit 0
fi
# In README.md, switch step 2 for step 3.
- name: Update to step 3
uses: skills/action-update-step@v2
with:
token: ${{ secrets.GITHUB_TOKEN }}
from_step: 2
to_step: 3
Loading

0 comments on commit fec20c4

Please sign in to comment.