about summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--users/wpcarro/website/blog/posts.nix7
-rw-r--r--users/wpcarro/website/blog/posts/git-filter-repo-note.md59
2 files changed, 66 insertions, 0 deletions
diff --git a/users/wpcarro/website/blog/posts.nix b/users/wpcarro/website/blog/posts.nix
index fcb2f5659e3b..ba0c6abb62f1 100644
--- a/users/wpcarro/website/blog/posts.nix
+++ b/users/wpcarro/website/blog/posts.nix
@@ -64,4 +64,11 @@
     content = ./posts/nix-shell-note.md;
     draft = false;
   }
+  {
+    key = "git-filter-repo-note";
+    title = "git-filter-repo (note to self)";
+    date = 1665163559;
+    content = ./posts/git-filter-repo-note.md;
+    draft = false;
+  }
 ]
diff --git a/users/wpcarro/website/blog/posts/git-filter-repo-note.md b/users/wpcarro/website/blog/posts/git-filter-repo-note.md
new file mode 100644
index 000000000000..ac4ac79ec517
--- /dev/null
+++ b/users/wpcarro/website/blog/posts/git-filter-repo-note.md
@@ -0,0 +1,59 @@
+## Background
+
+- I recently used `git-filter-repo` to scrub cleartext secrets from a
+  repository.
+- We pin some services' deployments to commit SHAs.
+- These commit SHAs are no longer reachable from `origin/main`.
+
+## Problem
+
+If the `git` garbage-collects any of the commits to which services are pinned,
+and that service attempts to deploy/redeploy, it will fail.
+
+`git for-each-ref --contains $SHA` will report all of the refs that can reach
+some commit, `$SHA`. This may be things like:
+- `refs/replace`: `git-filter-repo` artifacts
+- `refs/stash`
+- some local branches
+- some remote branches
+
+One solution might involve avoid garbage-collection. But if any of our pinned
+commits contained sensitive cleartext we will *want* to ensure that `git` purges
+these.
+
+Instead let's find the SHAs of the new, rewritten commits and replace the pinned
+versions with those.
+
+## Solution
+
+Essentially we want to find a commit with the same *tree* state as the currently
+pinned commit. Here are two ways to get that info...
+
+This way is indirect, but provides more context:
+
+```shell
+λ git cat-file -p $SHA
+tree d011a1dd4a3c5c4c6455ab3592fa2bf71d551d22 # <-- copy this tree info
+parent ba88bbf8de61be932184631244d2ec0ec8205cb8
+author William Carroll <wpcarro@gmail.com> 1664993052 -0700
+committer William Carroll <wpcarro@gmail.com> 1665116042 -0700
+
+feat(florp): Florp can now flarp
+
+You're welcome :)
+```
+
+This way is more direct:
+
+```shell
+λ git log -1 --format=%T $SHA
+```
+
+Now that we have the SHA of the desired *tree* state, let's query `git` for
+commits that share this state.
+
+```shell
+λ git log --format='%H %T' | grep $(git log --format=%T -1 $SHA) | awk '{ print $1 }'
+```
+
+Hopefully this helps!