If you follow the faqs on github it will say you can use bfg to remove sensitive data https://help.github.com/en/github/authenticating-to-github/removing-sensitive-data-from-a-repository

Here are my learnings

bfg has to be run from the root of the git repository

i.e. you can’t cd into the directory with the sensitive file and then run the following to specify the exact file to delete

bfg --delete-files ./YOUR-FILE-WITH-SENSITIVE-DATA

So you need to get a list of the files to delete first and then pass the filenames to bfg at the top level of the repo and also without any path information

Watch out for duplicate filenames!

Because of the above if the filename exists elsewhere in the repository it will remove all files with that name from history.

bfg --delete-files addMeetingMockStore.js
bfg --delete-files asyncActionsMockStore.js
bfg --delete-files loadMeetingPartsToCake.js
bfg --delete-files meetingPartsById.js
bfg --delete-files stateWithMeetingNotes.js

The above will scan the repo for any files with the above name and remove the history of them all as if they never existed… except:

bfg will not remove the files from the current commit

You will get notification that a file name is in a protected commit. So you need to do a git rm filename and manually commit the file delete because bfg will not remove a file from the current HEAD

Once you have run bfg and followed it’s recommendation to run git reflog…

BFG run is complete! When ready, run: git reflog expire --expire=now --all && git gc --prune=now --aggressive

When you go to push the results back to github it will be rejected because the histories now are not common (because an entire file or files have been removed from the repo) and you need to force it

git push -f origin master