These days it might be better to teach new users about ‘git switch’ and ‘git restore’ (added in Git 2.23, released 2019-08-16) rather than the two overloaded meanings of the confusing ‘git checkout’ command.
My developers use CVS.
Sometimes, they are really stupid, and they will checkin passwords.
With the RCS archives, I can use vi (or nano, or any other reasonable editor), and remove this foolishness.
When I run "git cvsconvert" any foolishness is ENGRAVED IN STONE.
Removal is possible in git, but not easy.
This is my problem. THERE ARE SO MANY IDIOTS. What can I do?
EDIT: For Windows-centric users of git, you need to run this in every and all repositories RIGHT NOW.
git grep -i password $(git rev-list --all)
[actually, everybody should try it]
Stop using any passwords that get checked in. Set expiry dates for access tokens. Set up git commit hooks that scan for password or API key prefixes and block the commit. Set up appropriate .gitignore files, you can place them in subfolders to keep them simple.
If possible, switch from using passwords or tokens without expiry to using ephemeral or time-limited tokens such as machine or pod identities, JWT tokens, IAM service accounts, public/private key pairs (if you can get by with only a public key in the repo) or two-factor authentication. Consider distributing time-limited passwords with Hashicorp Vault.
Some teams might use a cloud-hosted secrets manager or password manager like 1password to distribute passwords and then have code load the password as it runs on a developer machine. GitHub has a secrets scanner, if you pay them enough money for “Advanced Security” such that secrets can never be pushed upstream if recognized as such.
Also, converting from any repo format to another repo format requires care and multiple repeated attempts. A lot can go wrong. Reposurgeon (from a sibling comment) is highly recommended but also not easy to use. It takes a lot of attention to detail to really get the details right.
Git filter-branch will erase your shame. But as others have said, those credentials are burnt and need to be treated accordingly.