[oefrha]

1. Not all secrets can be rotated. E.g. I can't just "rotate" my home address, which I prefer to be private.

2. Even for rotatable secrets, "I don't think there is any potential further damage" rests on the assumption that the secret is 100% invalidated everywhere. What if there are obscure and/or neglected systems, possibly outside of your control, that still accept that secret? No system is bug-free. If I can take steps to minimize access to an invalidated secret, I will.

[jofzar]

> 1. Not all secrets can be rotated. E.g. I can't just "rotate" my home address, which I prefer to be private.

Reporter can sell their current house and move to another home as a workaround

Closing ticket as workaround provided.

[AppleBananaPie]

Here's your promotion!

Thanks for being a great team player!

[matsemann]

Also avoids false positives in the future from automated scanners, bounty hunters etc. if you clean up now.

[whyever]

Ok, so how would such a secret end up in a commit? E.g., I don't see why I would have my home address anywhere close to a code repository. Maybe if I used the wrong "secret" email address when authoring the commit?

If it's not possible to invalidate your compromised software secrets, I would argue that you have bigger and more urgent problems to fix. But fair enough: Deleting them from GitHub might reduce the impact in such cases.

[oefrha]

That's just an example... To give a more real example, I have accidentally committed and pushed my own private data (e.g. from my private social feed) used in testing. That could include my address too, so the example was quite possible to begin with.