Publish a private repository, with a sensitive file removed

publish_private_repo.sh

# Publish a private repository to a publically-viewable repo, with one private file totally purged
#
# Takes extreme precaution to purge all objects & references with sensitive data


export REPO_PATH='/tmp/staging-repository'  # Where our temporary repo lives
export PRIVATE_REPO='[email protected]:mitoc/mitoc-ansible.git'  # Private repo with sensitive data
export PUBLIC_REPO='[email protected]:DavidCain/mitoc-ansible.git'  # Repo viewable to the world
export SENSITIVE_FILE='env_vars/production.yml'  # File to be omitted from history

# Start by cloning the private repository with sensitive data
git clone $PRIVATE_REPO $REPO_PATH

# Move into our Git repository
pushd $REPO_PATH

# Remove the reference to the original repo (we won't be using it again)
git remote rm origin
git filter-branch --force --index-filter "git rm --cached --ignore-unmatch $SENSITIVE_FILE" --tag-name-filter cat -- --all

# Prune references to be _very_ sure the repo is safe
# (https://help.github.com/articles/removing-sensitive-data-from-a-repository/)
git for-each-ref --format='delete %(refname)' refs/original | git update-ref --stdin
git reflog expire --expire=now --all
git gc --prune=now

git remote add public $PUBLIC_REPO

# Fetch from our remote & push only with lease (to be sure we're not overwriting)
git push --force-with-lease public master

echo "Pushed contents of $PRIVATE_REPO to $PUBLIC_REPO, omitting $SENSITIVE_FILE"

# Cleanup: Optionally remove the temporary dir, return to starting dir
while true; do
    read -p "Prune staging directory? ($REPO_PATH) [y/n] " yn
    case $yn in
        [Yy]* ) rm -rf $REPO_PATH; break;;
        [Nn]* ) break;;
    esac
done
popd