I would like to keep both public and private issues in my team's github repo. I'd rather prefer that some issues are not open to other people than just my teamates.
Asked
Active
Viewed 3,827 times
2 Answers
5
You cannot. GitHub (still) does not support Confidential Issues. This is a major problem for open-source projects that want to track security bugs using GitHub Issues or record bug notes that contain PII.
My recommendation is to use create a public issue in your GitHub repo but with an arbitrary or disguised title and description and add tags/metadata that reference the same confidential issue in a non-public store, such as a hosted Bugzilla - you could set-up two-way integration between the two too, using their webhooks and events systems.
Dai
- 141,631
- 28
- 261
- 374
4
The new Security Advisory feature is a neat way to discuss and fix confidential security issues. You can create a confidential Security Advisory draft (in Security tab) to discuss the issue, and elaborate solution within a confidential branch. You can publish the final advisory, if you want, or even assign CVE number.
Serge
- 3,387
- 3
- 16
- 34
-
2Noticed as of today it also shows up under issue templates if you have those enabled. – Ciro Santilli OurBigBook.com Jan 24 '23 at 09:01
-
Just to add a note. These private security advisory repositories do NOT run any GH actions workflow. It's planned for Q1 2024. – s0undt3ch Jun 18 '23 at 21:37