Skip to main content
Table of contents


Make a GitHub repo private

In cases of politically sensitive changes, we want to work in private rather than public. We can do this by creating a private fork of the repo, but this can be challenging if we need to deploy before the code can be made public. Another option is to make the repo private for a short period of time while we’re working on it.

The following steps need to be completed to make a repo private. No changes should be needed for the release app or deployment process.

1. Set up authentication on Heroku apps

You will need to add the following to your app.json config within the application to require basic auth:

  "required": true
  "required": true

And add the following to application_controller.rb:

    name: ENV.fetch("BASIC_AUTH_USERNAME"),
    password: ENV.fetch("BASIC_AUTH_PASSWORD")

To define the username and password, you will need access to the shared Heroku account.

On the Heroku dashboard, locate the relevant pipeline for your application. Add the authentication to the production deployment Heroku app by browsing to Settings -> Config Vars and adding a BASIC_AUTH_USERNAME and BASIC_AUTH_PASSWORD. This will cascade down to review apps.

2. Update the application in the developer docs

Mark the application as being in a private repo by adding private_repo: true to the relevant application within applications.yml.

3. Make sure the developer docs still work

The developer docs might pull in data directly from the repo using ExternalDoc. Make sure that those things are removed, as the Jenkins job doesn’t have access to this repos.

4. Make the repository private

Within GitHub, navigate to Settings. The option to ‘Mark this repository private’ should appear at the bottom of the page, within the 'Danger Zone’.

This page was last reviewed on 8 August 2019. It needs to be reviewed again on 8 February 2020 by the page owner #govuk-2ndline .
This page was set to be reviewed before 8 February 2020 by the page owner #govuk-2ndline. This might mean the content is out of date.