Private Pull Requests to Public Repositories

Issue #11072 wontfix
Tim-Hinnerk Heuer
created an issue

At work, my team and I have identified a possible improvement to the pull request feature:

We would very much like to be able to do private pull requests, maybe optional per public repository. So, say private pull requests are allowed or enforced, then the user would be forced or optionally be able to make pull requests private, i.e the source code is not made public until merged.

We identified this as a good requirement because we have private and public repositories at our organisation and for security might not want the data of a pull request being public, for example if a not so advanced user stores a password in a file. So, what we do now is submit no pull requests and just merge a special branch of each user that did some changes. The user then though has to ping the public project maintainer to merge in the changes. It works but it would be nice to have at least a notification in that case. However, putting it in a private pull request would make this much better.

Comments (9)

  1. Erik van Zijst staff

    i.e the source code is not made public until merged.

    What would happen if a user then views the open pull request on the public repo? Would they get a 403, or would open pull requests be hidden from unprivileged users altogether?

    Interestingly enough we started out with this kind of behavior, displaying a PR only when the users has read access to both parent and fork. However, this lead to confusion and bugs.

    One of these tricky issues we ran into was that if we were hiding the PR from users on the parent that didn't have access to the fork, the intersection of the 2 user bases was sometimes empty, making it impossible to actually get the PR reviewed.

    When it wasn't empty, we had to filter out unprivileged users from the reviewer auto complete dialog, which would confuse the fork owner when he didn't realize what was going on.

    Ultimately this made us decide that if the owner of a private repo sends a pull request to a parent, that implies that the owner wants to open up the code in the PR to the users on the destination repo.

    If you want I could open an internal issue for this, but if I'm very honest I'm unsure if it would get much traction for all of the above reasons.

  2. Tim-Hinnerk Heuer reporter

    I would simply think the private PR should be private to the repository owner(s?) and the person submitting the PR and no one else should see it until merged. Other people just can't see it and would get a 403.

  3. Tim-Hinnerk Heuer reporter

    You could have a special group, say 'exclusive maintainers' and only if 'exclusive maintainers' have write or admin access they are the only exclusive maintainers that get private pull requests that no one else gets. I guess the cost/benefit of implementing and maintaining this feature might be quite high but we would appreciate it and it could give a bit of an edge over other git repository solutions.

  4. Erik van Zijst staff

    We've given it a bit of thought, but we're not convinced that the limited use case you are describing weighs up to the added complexity it this would add to our permission system. We're also a little afraid this behavior might not be obvious to most users and so I think it's not realistic that we'd be implementing this.

  5. Dave Greco

    This is one of the major reasons we switched to using GitHub, unfortunately we get pulled back to BitBucket sometimes with other clients. I can't believe you don't see the value in this.

  6. Log in to comment