Context
The daily security scanner flagged personal PII (university alumni email) in git commit metadata across public repos. This session scrubbed the email from commit history using git filter-repo.
What Was Done
- Identified 14 repos with personal email in commit history; 3 are public (agentGuidance, autonomousDev, claude-token-tracker)
- Used
git filter-repo --mailmapto rewrite author/committer email to the GitHub noreply address - 30 commits rewritten across 3 repos (21 + 8 + 1)
- Force-pushed all branches and tags to GitHub
- Synced local working copies
- Verified 0 commits with personal email remaining
Key Decisions
- Public repos only: Private repos have zero PII exposure risk, so only 3 public repos were rewritten
- Fresh clone approach: Cloned to /tmp to avoid issues with dirty working trees and stashes
- Global git config already clean: Was already set to noreply address, so no config change needed going forward
Follow-ups
- Add alumni email to GitHub email privacy block list (defense in depth)
- Sync any other clones (VM, MacBook, PC2) with the rewritten history
- GitHub cache may show old email temporarily in contributor graphs