Collaborating in a temporary private fork to resolve a repository security vulnerability

You can create a temporary private fork to privately collaborate on fixing a security vulnerability in your public repository.

¿Quién puede utilizar esta característica?

Propietarios de repositorios, propietarios de organizaciones, administradores de seguridad y usuarios con el rol de administrador

En este artículo

Nota:

Este artículo se aplica a la edición de avisos de nivel de repositorio como propietario de un repositorio público.

Los usuarios que no sean propietarios de repositorios pueden contribuir a los avisos de seguridad globales en GitHub Advisory Database en github.com/advisories. Las ediciones a las asesorías globales no cambiarán ni afectarán la forma en la que se muestra la asesoría en el repositorio. Para más información, consulta Editing security advisories in the GitHub Advisory Database.

Prerequisites

Before you can collaborate in a temporary private fork, you must create a draft security advisory. For more information, see Creating a repository security advisory.

Creating a temporary private fork

To keep information about vulnerabilities secure, integrations, including CI, cannot access temporary private forks.

  1. En GitHub, navegue hasta la página principal del repositorio.

  2. Debajo del nombre del repositorio, haz clic en Security. Si no puedes ver la pestaña "Security", selecciona el menú desplegable y, después, haz clic en Security.

    Captura de pantalla de un encabezado de repositorio en el que se muestran las pestañas. La pestaña "Seguridad" está resaltada con un contorno naranja oscuro.

  3. En la barra lateral de la izquierda, en "Reporting", haz clic en Advisories.

  4. In the "Security Advisories" list, click the name of the security advisory you'd like to create a temporary private fork in.

  5. Scroll to the bottom of the advisory form and click Start a temporary private fork.

    Screenshot of the "Collaborate on a patch in private" area of the form. The "Start a temporary private fork" button is outlined in dark orange.

    A private fork of the repository is created and shown on the advisory page.

    The naming convention for the private fork is very similar to the convention used for advisories in the GitHub Advisory Database and follows this format: repo-ghsa-xxxx-xxxx-xxxx, where:

    • repo is the name of the repository. To stay under the 100 character limit on repository names, we truncate the original repository's name to 80 characters.
    • xxxx-xxxx-xxxx is the unique identifier of the draft security advisory:
      • x is a letter or a number from the following set: 23456789cfghjmpqrvwx.
      • The numbers and letters are randomly assigned.
      • All letters and numbers are lowercase.

For example, if you create a temporary private fork in a repository called octocat-repo, and the automatically generated ID for the draft advisory is GHSA-x854-cvjg-vx26, the temporary fork will be called octocat-repo-ghsa-x854-cvjg-vx26.

You can also use the REST API to create temporary private forks. For more information, see Create a temporary private fork in the REST API documentation.

Adding collaborators to a temporary private fork

Anyone with admin permissions to a security advisory can add additional collaborators to the security advisory, and collaborators on the security advisory can access the temporary private fork. For more information, see Adding a collaborator to a repository security advisory.

Adding changes to a temporary private fork

Anyone with write permissions to a security advisory can collaborate on a patch by committing changes to a temporary private fork.

  1. En GitHub, navegue hasta la página principal del repositorio.

  2. Debajo del nombre del repositorio, haz clic en Security. Si no puedes ver la pestaña "Security", selecciona el menú desplegable y, después, haz clic en Security.

    Captura de pantalla de un encabezado de repositorio en el que se muestran las pestañas. La pestaña "Seguridad" está resaltada con un contorno naranja oscuro.

  3. En la barra lateral de la izquierda, en "Reporting", haz clic en Advisories.

  4. In the "Security Advisories" list, click the name of the security advisory you'd like to work on.

  5. You can make your changes on GitHub or locally:

    • To make your changes on GitHub, under "Collaborate on a patch", click the temporary private fork. Then, create a new branch and edit files. For more information, see Crear y eliminar ramas en tu repositorio and Editar archivos.
    • To add changes locally, follow the instructions under "Clone and create a new branch" and "Make your changes, then push."

    Screenshot of the "Collaborate on a patch" area of a draft security advisory. The "the temporary private fork" link is outlined in dark orange.

Creating a pull request from a temporary private fork

Anyone with write permissions to a security advisory can create a pull request from a temporary private fork.

  1. En GitHub, navegue hasta la página principal del repositorio.

  2. Debajo del nombre del repositorio, haz clic en Security. Si no puedes ver la pestaña "Security", selecciona el menú desplegable y, después, haz clic en Security.

    Captura de pantalla de un encabezado de repositorio en el que se muestran las pestañas. La pestaña "Seguridad" está resaltada con un contorno naranja oscuro.

  3. En la barra lateral de la izquierda, en "Reporting", haz clic en Advisories.

  4. In the "Security Advisories" list, click the name of the security advisory you'd like to create a pull request in.

  5. Scroll to the bottom of the advisory form. Then, under "Collaborate on a patch", click Compare & pull request to create a pull request for the associated branch.

    Screenshot of the "Collaborate on a patch" area of a draft security advisory. The "Compare & pull request" button is outlined in dark orange.
    The "Open a pull request" includes a header showing the branches that will be compared in a three-dot Git diff comparison when the pull request is created. For more information, see Acerca de comparar ramas en solicitudes de extracción.

  6. Para crear una solicitud de incorporación de cambios que esté lista para revisión, haga clic en Crear solicitud de incorporación de cambios. Para crear un borrador de una solicitud de incorporación de cambios, use el menú desplegable y seleccione Crear solicitud de incorporación de cambios de borrador, y después haga clic en Solicitud de incorporación de cambios de borrador. Si eres miembro de una organización, es posible que tengas que solicitar acceso a borradores de solicitudes de incorporación de cambios de un propietario de la organización. Consulta Acerca de las solicitudes de incorporación de cambios.

No puedes fusionar solicitudes de fusión individuales en una bifurcación privada temporal. En vez de esto, fusionas todas las solicitudes de extracción al mismo tiempo en la asesoría de seguridad correspondiente. For more information, see Merging changes in a security advisory.

Merging changes in a security advisory

Anyone with admin permissions to a security advisory can merge changes in a security advisory.

No puedes fusionar solicitudes de fusión individuales en una bifurcación privada temporal. En vez de esto, fusionas todas las solicitudes de extracción al mismo tiempo en la asesoría de seguridad correspondiente.

Before you can merge changes in a security advisory, every open pull request in the temporary private fork must be mergeable. To keep information about vulnerabilities secure, status checks do not run on pull requests in temporary private forks. For more information, see Acerca de las ramas protegidas.

Additionally, there can be no merge conflicts, and GitHub won't enforce any of the protection rules that you may have set up for the branch you're trying to merge the changes in to.

  1. En GitHub, navegue hasta la página principal del repositorio.
  2. Debajo del nombre del repositorio, haz clic en Security. Si no puedes ver la pestaña "Security", selecciona el menú desplegable y, después, haz clic en Security.
    Captura de pantalla de un encabezado de repositorio en el que se muestran las pestañas. La pestaña "Seguridad" está resaltada con un contorno naranja oscuro.
  3. En la barra lateral de la izquierda, en "Reporting", haz clic en Advisories.
  4. In the "Security Advisories" list, click the name of the security advisory with changes that you'd like to merge.
  5. Scroll to the bottom of the advisory form. Then, under "This advisory is ready to be merged", click Merge pull request(s) to merge all open pull requests in the temporary private fork.

Screenshot of the "Collaborate on a patch" area of a draft security advisory. The "Merge pull requests" button is outlined in dark orange.

Nota:

You can only merge one pull request into the main branch of a temporary private fork. If more than one pull request targets the main branch, merging is blocked.

After you merge changes in a security advisory, you can publish the security advisory to alert your community about the security vulnerability in previous versions of your project. For more information, see Publishing a repository security advisory.

Further reading