On GitHub, when you create a pull request (PR) from a branch, you are able to view commit history even if you close the PR and delete the branch. This means that if you have sensitive data on GitHub that should not be exposed, the data will still be shown there even if you make an extra commit to remove it.

What you need is not to make additional commits, but to modify the commits you made.

Solution 1 (easy): Remove commits and close the PR

1. keep the PR open and do not delete the branch

2. create a local back up branch in case you want to cherry-pick commits later on

3. switch to the branch of the PR that has the sensitive data

4. make a commit to delete the sensitive data if you have not

Why is this required?

After force pushing your branch, GitHub shows you the difference between the last commit made to the branch before force-pushing the branch and the latest commit of the branch after force-pushing, and those two commits are accessible. This means that if the last commit made to the branch before force-pushing has sensitive data, the data will still be visible on GitHub.

Open

 

5. push the branch

6. find a previous commit of the commit that added the sensitive data and copy the commit hash

7. hard-reset

   git reset --hard <commit-hash>

8. force-push

   git push -f

Demo

Situation: We have a PR that has two commits. The first commit has sensitive data.

Open

1. make a commit to remove the sensitive data

    

2. push the branch
   
   

    

3. hard-reset to the commit before adding the sensitive data

    

4. force-push
   
   

Solution 2 (advanced): Rewrite commits and keep the PR

1. create a local back up branch in case the branch is messed up

2. switch to the branch of the PR that has the sensitive data

3. make a commit to delete the sensitive data if you have not and push the branch (this is for the sensitive data not to show on GitHub after force-pushing)

4. rewrite commit history using git rebase -i
   (Using Git rebase on the command line - GitHub Docs)

5. force-push