Deleting the commit history using git-filter-repo still shows the commit in closed PRs history

Question

A checked-in secret was removed using git-filter-repo using the documentation here (https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository). Although the commit no longer shows up, neither in the master nor in the feature branch, it still shows up in the closed PR's history.

Is there any way to remove it from there as well?

Answer 1

As far as I know, GitHub, like other Git hosts, doesn't garbage collect any orphaned commits, so if you know the full SHA of old commits you can still find them. The details of your question are actually covered by the Warning in the article you linked to:

Warning: This article tells you how to make commits with sensitive data unreachable from any branches or tags in your repository on GitHub.com. However, those commits may still be accessible in any clones or forks of your repository, directly via their SHA-1 hashes in cached views on GitHub, and through any pull requests that reference them.

Further it explains what you can possibly do about it:

You cannot remove sensitive data from other users' clones of your repository, but you can permanently remove cached views and references to the sensitive data in pull requests on GitHub by contacting us through the GitHub Support portal. GitHub Support only assists in the removal of sensitive data in cases where we determine that the risk can't be mitigated by rotating affected credentials.

My interpretation of that last sentence is GitHub's default is to decline the request, unless you can make a good case for why it's needed.