Background
- I recently used
git-filter-repo
to scrub cleartext secrets from a repository. - We pin some services' deployments to commit SHAs.
- These commit SHAs are no longer reachable from
origin/main
.
Problem
If git
garbage-collects any of the commits to which services are pinned, and
that service attempts to redeploy, the deployment will fail.
git for-each-ref --contains $SHA
will report all of the refs that can reach
some commit, $SHA
. This may report things like:
refs/replace
(i.e.git-filter-repo
artifacts)refs/stash
- some local branches
- some remote branches
One solution might involve creating references to avoid garbage-collection. But
if any of our pinned commits contains sensitive cleartext we want to ensure
that git
purges these.
Instead let's find the SHAs of the new, rewritten commits and replace the pinned versions with those.
Solution
Essentially we want to find a commit with the same tree state as the currently pinned commit. Here are two ways to get that info...
This way is indirect, but provides more context about the change:
λ git cat-file -p $SHA tree d011a1dd4a3c5c4c6455ab3592fa2bf71d551d22 # <-- copy this tree info parent ba88bbf8de61be932184631244d2ec0ec8205cb8 author William Carroll <wpcarro@gmail.com> 1664993052 -0700 committer William Carroll <wpcarro@gmail.com> 1665116042 -0700 feat(florp): Florp can now flarp You're welcome :)
This way is more direct (read: code-golf-friendly):
λ git log -1 --format=%T $SHA
Now that we have the SHA of the desired tree state, let's use it to query git
for commits with the same tree SHA.
λ git log --format='%H %T' | grep $(git log --format=%T -1 $SHA) | awk '{ print $1 }'
Hopefully this helps!