Did you know that anyone can see the email addresses used to make commits to GitHub public repos?
In this tutorial, I’ll show you how you can confirm this and protect your privacy by updating email settings and your local Git configuration.
Github stores the history of commits and events for public repos, which anyone can view.
Git uses your email address to associate your name to any commits you author. Once you push your commits to a public repository on GitHub, the authorship metadata is published as well. - The GitHub Blog
This means that your personal email addresses may be publicly available. I’ll show you how to check this by viewing the .patch file of a commit in a browser and through making Github API calls.
Here is how to find out the email address associated with a commit on GitHub via your browser.
Go to a public GitHub repo in your browser
Click on a specific commit
.patchto the end of the commit URL
You will then see the details of the commit, including the user and email address.
Did you know? You can also add
.diff to the end of a commit URL to also view the Git diff.
The GitHub API for users’ public events is another way you can view personal information associated with GitHub data.
Entering this URL within your browser or calling this URL with a GitHub username returns a JSON object that includes email addresses associated with the user and commits.
You may not be aware who can see your private info online. Art by Banksy. Image source: www.japantimes.co.jp
Fortunately, GitHub has recommendations for setting up privacy to hide personal email addresses.
Go to GitHub → Sign in → Personal Settings → Emails
Tick / enable the following settings:
Keep my email address private
Block command line pushes that expose my email
By doing this, it will configure a GitHub private email for web based operations. This email will be made up of:
<a generated number>+<your username>@users.noreply.github.com
To use this GitHub private email for your GitHub related activities operated from your command line on your computer, you need to set this up in your local Git configuration.
To set the user email for every repo on your computer, run the following command, replacing the example email with your GitHub private email.
git config --global user.email "*email@example.com*"
To check that it has been set, run the following command:
git config --global user.email => firstname.lastname@example.org
To set it for just one repo, run the command without the
--global flag within the chosen project directory.
If you want to look at the file where your Git configuration is stored, you need to open up your
.gitconfig file, which on a Mac is usually stored in your user home directory, eg
~/.gitconfig. The section with your GitHub username and email will appear under
[user]. In your own config, there should be your username and private email address there in the following format:
[user] name = <your Github username> email = <number>+<username>@users.noreply.github.com
Cover up. London graffiti by Banksy and Robbo. Image source: www.widewalls.ch/murals/banksy-robbo/
DANGER ZONE - changing Git history can make irreversible changes, so it is recommended that you backup your work and communicate with others who use the same repo (if there are any) before taking any action.
You have several options:
To rewrite your commit history with your private user details
To discard your commit history for a fresh start from one new commit.
The Github page on Changing author info covers the steps to achieve this. It gives instructions on how to clone a temporary bare copy of your repo, rewrite the author details, then force push it back to the original repo location, and then delete the temporary repo copy.
This is more destructive, but if you don’t care about the commit history and are happy with a fresh start, then it works well. Here is the script to remove your commit history and set the new user details for a new commit for your current work.
git checkout --orphan new-master git add . git commit -m "Clean commits" git branch -m master old-master git branch -m new-master master git push --force --set-upstream origin master git branch -D old-master git push
The orphan branch has no parent commits and is the root of a new branch and commit history. It then pushes everything locally onto that branch using your current gitconfig user details, checks out the master branch and force pushes to overwrite it, then deletes the branch with the original git history.
Use GitHub with privacy enabled. Art by Banksy in Bristol. Image source: visitbristol.co.uk
Managing your privacy online is a sensitive issue. But it can give you more confidence while working online to learn more about how to manage your Git configuration with GitHub.
Here are a few of GitHub’s webpages to learn more about this area.
Originally published at medium.freecodecamp.org