Remove a collaborator from a GitHub repository by going to Settings, clicking Collaborators, finding the person, and clicking the Remove button next to their name. Their access is revoked immediately but all their previous commits remain in the repository. If they had access to secrets or API keys, rotate those credentials after removal.
When and Why to Remove Repository Access
There are several situations where you need to remove someone's access to a GitHub repository: a freelancer finishes their contract, a team member leaves the project, someone was added by mistake, or you are tightening security for a production launch.
Removing a collaborator is instant — the moment you click Remove, they lose the ability to view (for private repos), push code, create branches, or manage issues. However, there are important things that do NOT happen automatically:
1. Previous commits stay. Every commit the person made remains in the repository history. GitHub tracks code changes permanently. You cannot remove their commits without rewriting history (which is complex and rarely necessary).
2. Forks remain. If the person forked your repository before being removed, they still have that fork. Forks are independent copies they own.
3. Secrets are not rotated. If the removed person had access to environment variables, API keys, or database credentials (through the code or deployment tools), they may still know those values. You should rotate all sensitive credentials after removing someone.
If your repository is connected to Lovable, V0, or another AI tool, removing a GitHub collaborator does not affect the AI tool connection — that is tied to the repository owner's account.
Prerequisites
- Admin access to the GitHub repository
- Knowledge of which collaborator to remove
Step-by-step guide
Open repository settings
Open repository settings
Navigate to your repository on github.com. Click the Settings tab in the top navigation bar (the gear icon on the far right). You need Admin access to see this tab — if it is not visible, ask the repository owner to remove the collaborator or grant you Admin access first.
Expected result: The repository Settings page opens.
Go to Collaborators
Go to Collaborators
In the left sidebar of the Settings page, click Collaborators (or 'Collaborators and teams' if you are using a GitHub organization). GitHub may ask you to re-enter your password for security. The page shows a list of all current collaborators with their permission levels, plus any pending invitations.
Expected result: You see a list of all collaborators with their usernames, avatars, and permission levels.
Remove the collaborator
Remove the collaborator
Find the person you want to remove in the list. Next to their name and permission level, click the Remove button (it may appear as a red 'Remove' link or an 'X' icon depending on your view). GitHub will ask you to confirm the removal. Click Remove to confirm. The person is immediately removed from the collaborator list and loses access to the repository.
Expected result: The person disappears from the collaborator list and no longer has access to the repository.
Rotate secrets and API keys
Rotate secrets and API keys
After removing a collaborator, assume they had access to any sensitive information in the repository. Go to your deployment platform (Vercel, Netlify) and regenerate environment variables. If your project uses Supabase, rotate the anon key and service role key in the Supabase dashboard under Settings, then API. Update the new keys in your deployment platform. If you use Stripe, rotate API keys in the Stripe dashboard under Developers, then API keys. Update your Lovable project's secrets in the Cloud tab if applicable.
Expected result: All sensitive API keys and environment variables are regenerated and updated in your deployment tools.
Complete working example
1# Security Checklist: After Removing a Collaborator23Use this checklist every time you remove someone from the repo.45## Immediate Actions6- [ ] Collaborator removed from GitHub Settings → Collaborators7- [ ] Confirm they no longer appear in the collaborator list8- [ ] Check for any open PRs or branches they created910## Credential Rotation11- [ ] Supabase: Rotate anon key and service role key12- [ ] Stripe: Regenerate API keys (test and live)13- [ ] Vercel: Update environment variables with new keys14- [ ] Lovable Cloud tab: Update secrets with new keys15- [ ] Any other API keys the project uses1617## Review18- [ ] Check recent commits by the removed person19- [ ] Close any open Issues assigned to them20- [ ] Reassign any open PRs they authored21- [ ] Update CODEOWNERS file if they were listedCommon mistakes when removing a Collaborator from a GitHub Repository
Why it's a problem: Assuming their commits are deleted when you remove them
How to avoid: Commits are permanent in Git history. Removing a collaborator only revokes future access. Their past contributions remain in the commit log.
Why it's a problem: Forgetting to rotate API keys and secrets after removal
How to avoid: Always rotate Supabase keys, Stripe keys, and any other credentials the removed person could have seen. Update the new values in Vercel and Lovable.
Why it's a problem: Not checking for forks the person may have created
How to avoid: If the person forked the repo before removal, they still have a copy. You cannot delete their fork. If the repo contains sensitive code, consider this when deciding what to put in the repository.
Why it's a problem: Removing someone from GitHub but forgetting to remove them from the AI tool
How to avoid: If the person also had access to your Lovable, V0, or Replit account, remove them from those platforms separately. GitHub access and AI tool access are independent.
Best practices
- Always rotate API keys and secrets after removing a collaborator, especially for production projects.
- Keep a security checklist (like the one above) and follow it every time you remove someone.
- Review the removed person's recent commits and open PRs before removing them.
- Close or reassign any Issues or PRs that were assigned to the removed person.
- Use the minimum necessary permission level when adding collaborators to reduce risk when removing them later.
- Audit your collaborator list quarterly and remove inactive members proactively.
- Document the removal in your project management tool so the team knows access has changed.
Still stuck?
Copy one of these prompts to get a personalized, step-by-step explanation.
I just removed a freelance developer from my GitHub repository that is connected to Lovable and deployed on Vercel. They had Write access for 3 months. Give me a complete security checklist of every credential I should rotate and every platform I should check.
Frequently asked questions
Are the removed person's commits deleted?
No. All commits made by the removed person remain permanently in the repository history. Git is designed to preserve complete history. You would need to rewrite Git history to remove commits, which is complex and not recommended.
Can a removed collaborator still see my private repository?
No. Once removed, they cannot view, clone, or access the private repository in any way. If the repository is public, anyone can still see it regardless of collaborator status.
What if I accidentally remove the wrong person?
Simply re-invite them. Go to Settings, then Collaborators, click Add people, and search for their username. Send a new invitation — they will need to accept it again.
Does removing a collaborator affect Lovable's sync?
No. The Lovable-GitHub sync is tied to the repository owner's account, not collaborators. Removing a collaborator does not interrupt Lovable's auto-sync or V0's PR workflow.
Should I remove a collaborator or just downgrade their permissions?
If they still need some access, downgrade to Read instead of removing. If they no longer need any access, remove them entirely. For contractors finishing a project, full removal is the safest choice.
Can RapidDev help with a security audit after removing a collaborator?
Yes. RapidDev's engineering team can perform a security review of your repository, rotate all credentials across your connected services, and verify that no sensitive data was exposed.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation