Plans to support temporary private forks through Github's Security Advisories?

Hello! We’re a large open source project (silverstripe.org), we’re managing ~120 modules as individual repos as part of a “core recipe”, in addition to ~2000 modules in the community. Travis CI has been an absolute game changer for us over the last years.

Currently we’re managing security vulnerability patching through a separate organisation with private repos (github.com/silverstripe vs. github.com/silverstripe-security), and subsequently private (paid) builds on travis-ci.com.

Recently we’ve been pretty excited about Github’s security advisories feature, in particular the temporary private forks. It would allow us to keep management in a single Github organisation, for example simplifying group and member management. When creating a pull request within this special fork, I don’t see any builds being triggered, even though I have signed up the organisation to a free trial for private builds. The upstream repo builds fine, so does the private repo on the separate organisation. All three have identical .travis.yml definitions.

Is this expected behaviour? If so, are you planning to add support for temporary private forks? Will the pricing and allocation work the same way as for other private repos connected to a travis-ci.com account?

In case you can access build information, this is where I’m looking for builds to pop up: https://travis-ci.com/silverstripe/silverstripe-framework-ghsa-pfcw-wfpx-2r26/pull_requests

Thanks!
Ingo

Imprint