What Can an Attacker Do with credentials.json
A few months ago I was experimenting with a project which needed to read a Google sheets page. It didn’t end up going anywhere, but today I accidentally checked the project, including credentials.json into my version control. A bit of poking around on Google doesn’t reveal anything obvious as far as a control for this credential.
The json you have is the authentication credential that you create when you set up the oAuth consent page for your project. Your application will use this to identify itself to Google and then your users will authorise that your application can access their data. Theoretically if your application has been given access by a user then anyone with that json can impersonate your application (as the reference says) but when you set up the Client ID you also set up the redirect URL so that should prevent someone actually completing the oAuth using your credentials..
You should, if you have not done so already, go into your project and then in the project / credentials page you will see a list of all the oAuth2.0 client IDs and you will be able to delete your id. See doc
To delete a client ID, go to the Credentials page, check the box next
to the ID, and then click Delete.
Aside: Posting secrets into Github and then removing them from history is tricky and yes the Google oAuth documentation isn’t the easiest beast to follow.