GitHub Actions for GitHub Security Advisories

With GitHub Security Advisories:

You can create a temporary private fork to privately collaborate on fixing a security vulnerability in your repository.

https://help.github.com/en/github/managing-security-vulnerabilities/collaborating-in-a-temporary-private-fork-to-resolve-a-security-vulnerability

This sounds really useful for working with team members on fixing security issues in open source projects. 

For normal private repos, we get 2,000 free minutes per month to use with GitHub Actions.

How does GitHub Actions work with temporary private forks for security vulnerabilities? It would be great to be able to properly test our fixes in private, without having to worry about quotas, or reducing what is tested to keep within limits.

What I’d like to avoid is publishing a security fix, and only when it’s public finding out it doesn’t fix the problem on something we normally test and would have otherwise caught before merging.

Thanks!

According to the documentation about billing for GitHub Actions, the 2000 minutes per month for free is the total minutes for all private repositories owned by a same account.

A temporary private fork is also a private repository, so it also will spend the GitHub Actions usage of the account where the fork is owned by.

Right now GitHub Actions doesn’t work seamlessly as part of the Security Advisory / Temporary Private Fork workflow.  The good news is that we are working on changing that. When we’re done, use of Actions with Temporary Private Forks will be treated as an OSS build from a billing perspective. Meaning, the build will be private, but you won’t have the 2k cap to worry about.

1 Like

Has there been any update on this?

could you point me to the docs?