I would like to keep both public and private issues in my team's github repo. I'd rather prefer that some issues are not open to other people than just my teamates.
Is it possible to make confidential issues in a public git repository?
5.6k Views Asked by kirrikirri At
3
There are 3 best solutions below
2
On
The new Security Advisory feature is a neat way to discuss and fix confidential security issues. You can create a confidential Security Advisory draft (in Security tab) to discuss the issue, and elaborate solution within a confidential branch. You can publish the final advisory, if you want, or even assign CVE number.
0
On
Perhaps it goes without saying, but GitHub's official recommendation/workaround suggests creating a second private repo only for private issues: https://docs.github.com/en/repositories/creating-and-managing-repositories/creating-an-issues-only-repository
For a single repo having a separate myrepo_private_issues repo is a little clunky, but not too bad. At scale it would be a mess. You'd probably want to collect all private issues in a single private repo.
I do think it's still preferable to the other answers though.
You cannot. GitHub (still) does not support Confidential Issues. This is a major problem for open-source projects that want to track security bugs using GitHub Issues or record bug notes that contain PII.
GitLab, however, does.
My recommendation is to use create a public issue in your GitHub repo but with an arbitrary or disguised title and description and add tags/metadata that reference the same confidential issue in a non-public store, such as a hosted Bugzilla - you could set-up two-way integration between the two too, using their webhooks and events systems.