GitHub Security Advisory private forks support Actions

[github-product-roadmap]

Summary

Developers that use temporary private forks to privately fix their draft security advisories cannot currently take advantage of their test automation in GitHub Actions. We will add support for GitHub Actions in temporary private forks for draft security advisories so developers can run test automation.

Intended Outcome

Private forks are currently used to fix security issues behind closed doors.

However, if you can't test your code before merging the fix, you could be introducing new bugs as an accidental byproduct. This leads to project maintainers releasing a fix, realizing it has bugs, and then releasing a fix for the fix.

Allowing GitHub Actions to run on private forks will help developers resolve security vulnerabilities faster and safer.

How will it work?

Developers who open a temporary private fork to fix a security issue will be able to use most GitHub Actions workflows in that private fork as normal. However, because these repositories often have untrusted external collaborators, workflows will be unable to use organization secrets.

[ankneis]

Please continue to refer to our updated Public Roadmap for the latest ships, including updates on the continuation of these projects.

[ankneis]

We wanted to provide more details on why we removed this from the roadmap. We are currently focusing on other features. This has been removed from the roadmap for now, and we will revisit it once we can provide a more accurate delivery estimate.

If you’re interested in this feature, please share your feedback in the GitHub community so we can track interest and consider it in the future.