Forced commits to repositories

[FaisalAshraf44]

Select Topic Area

Question

Body

I noticed some unexpected activity on my GitHub repositories and wanted to clarify the situation.

A past client recently contacted me saying that commits were made to their repository using my GitHub account, even though I did not make those commits.

• When I checked my GitHub repositories, I noticed the following:
• All of my repositories showed “Updated yesterday” (I have attached a screenshot of a few of them).
• Initially, I was able to find the same commit that the client shared with me in one of my other repositories as well.
• After this, I asked the client to remove me from their organization/repository access.
• Later, the same commit disappeared from my repositories, so I asked the client to share screenshots of the commit they saw in their repository. They were able to capture it because I had already been removed from the organization before the commits started disappearing.
• At the moment, all my repositories still show “Updated yesterday”, but when I check inside each repository there are no commits from yesterday.

I am trying to understand how this activity happened since I did not push these commits myself.

[shivrajcodez]

This situation can happen for a few different reasons, and it doesn’t always mean someone directly logged into your GitHub account.

A few things worth checking:

1. Author email vs actual account
   Git commits contain an author email, not strict authentication. If someone configured Git with the same email as your GitHub account, the commit may appear attributed to you even though it wasn’t pushed by your account.

You can verify this by opening the commit and checking:

Author

Committer

Verified / Signed status

Sometimes the committer will be different from the author.

2. Automation or CI workflows
   If the repository had GitHub Actions, bots, or CI pipelines, they might have pushed commits automatically using a token that was associated with your account or email.

3. Personal access tokens
   If you previously created PAT tokens and shared them with scripts, CI systems, or clients, those tokens may still have permission to push.

It’s a good idea to:

Revoke old tokens

Review authorized OAuth apps

Check deploy keys on repositories

4. Cached or rebased commits
   If the client rewrote history (force push, rebase, branch deletion), commits can temporarily appear and later disappear from your visible history.

This can explain why you saw them initially and then they vanished.

5. Organization permissions
   If you were an org member previously, workflows running in that org could have been configured to commit with your identity.

Recommended immediate steps:

Change your GitHub password

Enable 2FA if not already enabled

Revoke unused personal access tokens

Review authorized OAuth apps

Check GitHub security log in your account settings

If the commit still exists in the client’s repository, inspecting the commit metadata (author, committer, and signature) should reveal how it was created.