Is there a way to run GitHub Actions against a temporary private fork created from a Security Advisory? #35165

radnov · 2022-10-05T06:45:45Z

radnov
Oct 5, 2022

Is there a way to run GitHub Actions against a temporary private fork created from a Security Advisory?

As far as I can see, there's no Actions tab on the private fork and I couldn't find anything relevant by googling around (maybe my searches were bad 🤷).

The only recent information I could find is on this blog post:

Unfortunately with this specialization comes a major issue: GitHub Actions will not run for any PRs within the specialized repository.

They suggest using nektos/act for running the GitHub Actions locally, but this doesn't fit our use case.

Would it be possible to run GHA with Self-hosted runners maybe?

SecKatie · 2022-11-18T17:33:07Z

SecKatie
Nov 18, 2022

This is a significant pain point for Keycloak and limits the usefulness of the GitHub Security Advisory product overall.

1 reply

abstractj Nov 18, 2022

I would argue that's not only for Keycloak, considering that several open-source projects are also impacted by the lack of a reliable way to execute the pipelines.

ScriptAutomate · 2023-07-13T18:37:42Z

ScriptAutomate
Jul 13, 2023

This same problem came up for me in a separate, partially-related discussion:

GitHub Discussion: Extend APIs related to GitHub Security Advisories and their Temporary Private Forks

0 replies

gsmet · 2023-09-12T12:17:38Z

gsmet
Sep 12, 2023

This limitation is also very problematic for the Quarkus project. It makes this feature close to unusable as we really need to make sure the tests are passing before merging and running them locally is not really an option.

0 replies

di · 2024-02-13T17:08:41Z

di
Feb 13, 2024

Here's this feature request on the GitHub product roadmap: github/roadmap#627

0 replies

gtjoseph · 2024-02-13T20:09:16Z

gtjoseph
Feb 13, 2024

Here's what I just posted in the Security Advisories Feature Requests & Improvements thread.

https://github.com/orgs/community/discussions/12226#discussioncomment-8458224

0 replies

glye · 2024-03-01T08:59:21Z

glye
Mar 1, 2024

Adding my voice, we have been frustrated by this lack for a long time. We need CI in temporary private repositories. There are security concerns when adding it, but the current situation is also a security problem: The release process constantly risks being disrupted by problems CI would have discovered. So we risk security fixes being made public quite some time before the fix is actually usable, granting more time for bad actors to exploit before fixes are installed.

0 replies

aelnosu · 2024-08-01T02:02:05Z

aelnosu
Aug 1, 2024

This comment is here so I will get notification about this thread.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GitHub Community

Is there a way to run GitHub Actions against a temporary private fork created from a Security Advisory? #35165

{{title}}

Replies: 7 comments 1 reply

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Is there a way to run GitHub Actions against a temporary private fork created from a Security Advisory? #35165

Replies: 7 comments · 1 reply

Replies: 7 comments 1 reply