How to exploit GitHub’s Contributions Graph

Doge with Guy Fawkes Mask.

Let’s talk about the Contributions Graph on GitHub. For those of you who don’t know, the contributions graph on GitHub shows your contributions history using squares ranging from white to dark green depending upon the contributions made each day. Let’s face it, we all want it — the perfectly filled graph. It’s the weirdest flex of all. But let’s be logical, for the most of us, it’s a monumental task having to maintain the consistency week after week, day after day, for an entire year — ensuring at least one contribution every day to try and get to that milestone — only to miss out on an ill-fated day and having to start over again from Day 1.

What if I tell you, it can be done in twenty minutes. Well, twenty-ish. You cannot change your history but you can change your contributions graph.

You with 2 contributions, versus the guy with 69420 contributions who, she tells you, not to be worried about.
You with 2 contributions, versus the guy with 69420 contributions who, she tells you, not to be worried about.

It’s no secret that the Contributions Graph on GitHub is not very secure. It’s a collection of data from your contributions on GitHub, displayed in a Graph. So, basically, you can push a repository with preset commit history and gain all those commits as contributions on GitHub. And reverting it is simple as well! Just delete the repo from your account.

Alright, cool. Tell me how it works

Well, all you gotta do is,

  1. Create a new repository on GitHub.
  2. Clone that repository to your local.
  3. Add the script to generate commits and then, execute it on your repository.
  4. Push the repo to your remote, and voila! Sit back and watch the magic unfold.

Hold up! Can we go back to point 3?

The script’s pretty straightforward. All it does is — makes some change in the repository & commits those changes with a fake timestamp — over and over again, as many time as you’d like.

The timestamp can be changed by updating two environment variables that git uses to set the timestamp for the commits — GIT_COMMITER_DATE & GIT_AUTHOR_DATE — which store the timestamps in the standard ISO format. Also commit using that timestamp, just to be sure.

Now, to do it over and over, wrap it in a loop —

TLDR — Here is the script

or 4 loops. First for the year, second for the month, third for the date, and fourth, well, because sometimes, it’s just not enough. As you might have noticed, you can generate commits both — way into the past and the future. Though 1970, I suppose, is as far back as you can go.

Next, you can make the script executable and run it using the following commands from your terminal —

The Pitfalls & Curtain

All the snippets assume that the script is within the repository you created. If you don’t wanna push the script to remote, you can update the script to traverse to the directory of your choice. Now, I’m gonna refrain from insulting your intelligence by telling you how to do it, but you can use the cd command for that.

Although, I will warn you, the script can take quite a bit of time depending upon how greedy you get. After letting it run for 10 minutes, I felt — maybe it was not OK to be “that” guy — and decided to end it.

I did face multiple issues while running the script. For some reason, all the contributions, that were generated, were not being shown on the GitHub — either only the ones for the last year in the timeframe, or only for partial year.

While I couldn’t find the cause or the fix for this — after playing around a bit, it seemed that the issue occurred only when I generated and pushed over a 1000 commits together.

To get around that, you can generate and push commits year by year generating cumulatively less than a 1000 commits in each turn. If you find the cause or the fix for this, do enlighten me in the comments.

Here’s the amazing article that introduced me to this exploit. But I don’t understand why he needs to create a new directory for each commit. Anyhow, do give it a read as well, if this doesn’t satiate you.

Finally, I’d also recommend checking out Gitfiti using which you can draw some crazy pixel art on your contributions graph. Go wild.

💻 Engineer working remotely 🏔 Trying to figure out solutions no one’s thinking about 💭 because “normalcy” is too mainstream 🤷🏻‍♂️

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store