Exposed a .env secret on GitHub

Exposing secrets in a public GitHub repository is a production emergency [devto]. Automated bots scan public repositories, and leaked credentials can be discovered within minutes. Identify exactly what was exposed, including API keys, database credentials, and cloud credentials [devto]. Rotate exposed credentials immediately, generating new ones for API keys, database passwords, and access tokens. Update all environments and redeploy applications to stop using old credentials. Use tools like git filter-repo or BFG Repo Cleaner to clean repository history, then force-push the updated history and ask collaborators to re-clone or reset local repositories if necessary [devto]. Review logs to determine whether exposed credentials were abused, including cloud audit logs and database access history [devto]. Document the incident, including what happened, what was exposed, actions taken, and current status. To prevent similar incidents, enable GitHub Secret Scanning, add .env files to .gitignore, and use pre-commit secret detection [devto].