But in that case, are you saying you _wouldn't_ immediately change the credential you committed? Sure, the possibility of an adversary forking your repo after that commit but before your revision is small, but still exists.
Once a secret is exposed to the internet, it should be considered public and rotated. In this case mutability/immutability is moot though likely there are applications for other, non-credential secrets that are not so easily rotated (like your home address or something).
Once a secret is exposed to the internet, it should be considered public and rotated. In this case mutability/immutability is moot though likely there are applications for other, non-credential secrets that are not so easily rotated (like your home address or something).