Removing Secret Key from Heroku Git Repo

Question

I have taken a project live with the help of Heroku. I set secret keys properly, using environment variables etc, not committing local settings containing any secret keys etc.

Then, reviewing which actual files had been pushed to the git repo within Heroku, I found an 'old_settings'-file which in a pure oversight had been missed. That file contained the secret-key.

I cleaned out the file and pushed the changes to the repo (git push heroku master). Then I deleted all past commits following the last answer:

removing commit history in git

Should this be fine? Reading Mipadis answer so it seems:

Pushing secret keys to heroku, safe?

Should this be a problem, or would this be considered problem solved?

Appreciate any feedback, and should my English be confusing at all I'd be happy to clarify.

Edit

Generated a new secret-key the same way Django does it, and updated the Heroku environment-variable

heroku config:set secret_key=NEWKEY .

Question remains: would this be sufficient?

Answer 1

GitHub states:

Warning : Once you have pushed a commit to GitHub, you should consider any data it contains to be compromised. If you committed a password, change it! If you committed a key, generate a new one.

This article tells you how to make commits with sensitive data unreachable from any branches or tags in your GitHub repository. However, it's important to note that those commits may still be accessible in any clones or forks of your repository, directly via their SHA-1 hashes in cached views on GitHub, and through any pull requests that reference them . You can't do anything about existing clones or forks of your repository, but you can permanently remove cached views and references to the sensitive data in pull requests on GitHub by contacting GitHub Support or GitHub Premium Support.

It would be best to generate a new secret-key just to be sure.