Apparently, it is well known that GitHub uses forks as a kind of super-repository, letting you see all the commits in the fork network. This is true even for private repos.
For example, if you (Bob) fork repo P from Alice), and Alice makes commit with hash
X into their repo after you forked, you can access it via
Even after your fork is deleted, commits are still accesible via any of the forks and will last seemingly forever.
I have found the following related issues, and contacted GitHub about them. They said they were already known and it's OK to make them public.
Issue 1: Maintaining access to repos after they kick you out.
It is possible for a user to keep viewing new commits in a repo they no longer have access to. The idea is to make a fork of the private repo before your access is removed. This would let you access the commits by their hash.
According to the GitHub Docs, if you remove access to someone from your private repo, GitHub will delete all their forks. This is true for the repos you forked into your account, but not the repos you fork into an organization.
- Alice has private repo
- Alice grants access to
- Bob creates an organization, called
- Bob forks
- Alice removes access to
Pfrom user Bob.
- Alice makes commit into
- Bob can see commit with hash
Bob can access the commits in
P by their hash. Once you reach one commit, you have access to all its parents as well, but not their children.
There are several ways to find commits in the repo:
- If the repo owner has a pro account, all the hashes of their branches will show up in
Insights -> Network.
- GitHub let you reference commits via a prefix of their hash in the URLs, so you can just try bruteforcing the 16^4 hash space (~65k) iterating from
github.com/B-org/P/tree/ffff(you can also take into account existing commits). This can be also done via the GitHub API, but there's a quota limit.
- GitHub will auto-link commits if you input a 6-char prefix of their hash in GitHub comments. I couldn't find a size restriction, but it looks like you can pack more than a couple thousands hashes in one comment. Note that GitHub mentions an anti-abuse quota.
Note that this is true also for private repos in organizations and teams, with the caveat that organizations need to specifically allow users to fork their repos.
How to check if someone has access to my repos
You can always see the number of forks that your repo has, and if you have a GitHub Pro account, you can see the usernames in the
Insights -> Network tab.
Issue 2: Repo Owner has permanent access to private forks.
If you fork a private repo, and remove access to the owner from the fork, you would expect that the owner won't be able to see your commits, however, they can still access your commits by finding the commit hash and creating a link to it in their repo (like before).
Issue 3: Unlimited Private Repos for Organizations, and unlimited collaborators for users.
Free Organizations have a limit on the number of private repos, and free users have a limit on the number of collaborators they can have in private repos. However, if a free user forks a private repo into an organization, that org will have a new private repo, and there, the org can add all the collaborators they want.