Extend APIs related to GitHub Security Advisories and their Temporary Private Forks

[ScriptAutomate]

Select Topic Area

Product Feedback

Body

This feature request/discussion was created as an extension of:

• Temporary private forks, made for GitHub Security Advisories, should have their naming convention/format documented github/docs#26520

What is this related to?

• GitHub Docs: Creating a repository security advisory
• GitHub Docs: Collaborating in a temporary private fork to resolve a repository security vulnerability
• GitHub API: Get Repo
• GitHub API: List Repo Security Advisories

Extending API

The API of a repository should state whether it is a temporary fork / GHSA-related repository. Otherwise, you have to retrieve this information by querying:

• for draft security advisories
• whether a repo is a fork and private (a temp private fork currently says fork: False in API calls...)
• what the name of the parent repository is (a temp private fork doesn't actually seem to include this in API calls, since API states it is not a fork, so parent: None if the value retrieved...)
• check the repo name for a pattern that matches a security advisory

All in order to see whether it is, for certain, a GHSA-related temp fork. This means it would be valuable to have multiple aspects of the API updated when it comes to the API-retrieved data on these repository types.

Misc Feedback on GitHub Security Advisories and Temporary Private Forks

This also brings up the problem of not being able to delete a temp private fork, even if the security advisory draft is closed (not released or made public), as I am no unable to delete them after having tested this feature out:

• GitHub Discussion: Deleting a temporary private fork of a repository after addressing a security advisory

This means that dependabot alerts will continually go off until we are able to delete a private fork. Which, at the moment, these seem to be permanently stuck open until GitHub introduces the ability to delete them.

Another problem I ran into was related to GitHub Actions on these temporary forks:

• GitHub Discussion: Is there a way to run GitHub Actions against a temporary private fork created from a Security Advisory?

Many other great suggestions have come up out of another discussion, when it comes to discoverability, permissions, etc.

• GitHub Discussions: Security Advisories Feature Requests & Improvements

[ghostinhershell]

Thank you for sharing this feedback @ScriptAutomate and welcome to the Community!