Temporary private forks, made for GitHub Security Advisories, should have their naming convention/format documented #26520
Description
Code of Conduct
- I have read and agree to the GitHub Docs project's Code of Conduct
What article on docs.github.com is affected?
- Published page: https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability
- Source: https://github.com/github/docs/blob/main/content/code-security/security-advisories/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability.md
What part(s) of the article would you like to see updated?
Section needing update:
The last part of the section:
A private fork of the repository is created and shown on the advisory page.
What isn't stated here is the naming convention of the temporary, private repositories that get created. The screenshots that follow do show the naming format, as examples, but the convention itself should be included somewhere in the documentation itself.
The standard naming convention is done as so, from what I can tell, whenever you click the Start a temporary private fork button:
<repo>-<ghsa-draft-security-advisory-id>- Example:
- GitHub Security Advisory (GHSA) draft:
GHSA-1a2b-cd23-efgh - Draft advisory for the following repo:
my-repo - Temp, private repo name:
my-repo-ghsa-1a2b-cd23-efgh
- GitHub Security Advisory (GHSA) draft:
Additional information
Other than docs, I think a feature request should be opened for the API of a repository to state whether it is a temporary fork / GHSA-related repository. Otherwise, you have to retrieve this information by querying:
- for draft security advisories
- whether a repo is a fork and private
- what the name of the parent repository is
- check the repo name for a pattern that matches a security advisory
All in order to see whether it is, for certain, a GHSA-related temp fork.