Private Mirrors App
This is a walkthrough of GitHub’s newly introduced Private Mirrors App. The video covers the following specific topics:
- The challenge open source program offices (OSPOs) face balancing upstream contribution benefits (staying current, developer happiness, brand reputation, code reuse) against risks (IP leakage, secrets, PII, contributor licence agreements, incompatible licences)
- How standard forking falls short for private review workflows, since a fork of a public repository must also be public
- Architecture of the Private Mirrors App: a web front-end and service that maintains private mirrors mapped to public forks within a GitHub organization
- Forking an upstream project (the GitHub org-metrics dashboard) and navigating to the fork in a GitHub organization
- Configuring a new private mirror via the Private Mirrors App, including targeting a separate Enterprise Managed Users (EMU) organization
- Managing multiple team mirrors for the same upstream project without overlap
- Enabling quality gates (builds, tests, policy automation) that must pass before merging into the private mirror’s main branch
- Automatic sync from the private mirror’s main branch back to the public fork when changes are merged
- Completing the upstream contribution process by raising a pull request from the public fork to the upstream repository
Related Content
![Policy as [versioned] code - you're doing it wrong](/video/policy-as-versioned-code/images/banner_hu_1ad79211f333414d.webp)
Policy as [versioned] code - you're doing it wrong
Chris Nesbitt-Smith traces how governance policies are typically born — emotionally, reactively, and as one-shot documents — then shows how applying software engineering principles transforms policy into a living, versioned artefact. The talk covers iterative policy management, Kubernetes admission control, open-source policy tooling, and the cultural shift required to make policy genuinely effective rather than just technically compliant.
Find vulns in your code before they find you
Security vulnerabilities don't wait to be discovered — and developers are often unknowingly shipping them through open source dependencies. In this episode, Chris is joined by DeveloperSteve Coochin, Developer Advocate at Snyk, to explore the real-world state of vulnerabilities in modern applications. Steve shares findings from his research into the PHP ecosystem and explains how developers can shift vulnerability detection left — catching CVEs in dependencies before they reach production, by integrating tools like Snyk directly into their CI/CD pipelines and GitHub workflows.
V009 - Weekly Technology Vlog #9 (1 year of Cloud With Chris, Azure Retirements, Microsoft Ignite)
Week nine of the vlog coincides with the one-year anniversary of the Cloud With Chris podcast. Chris kicks off a multi-part blog series on GPG key signing for Git commits, demonstrating how trivially easy it is to spoof a contributor's identity in Git without verification — and how GitHub's GPG validation feature closes that gap. Azure news this week is lighter than usual, covering serverless and low-code scenarios with PowerApps, the new Private Azure Marketplace, and the Azure Quota REST API, plus a significant list of retirement notices from the Azure Updates page all targeting 29 February 2024.