What does this mean from a security perspective: "Caution: This repository is private but the published site will be public."

Question

I've got a repo that will contain sensitive information, so in GitHub I made it private. After doing so, however, this message is now displayed:

Caution: This repository is private but the published site will be public.

Can someone help me to understand what this message means? Also, since I need to keep these sensitive files secure, what security considerations should be made?

Thank you in advance.

Answer 1

It means that information stored in gh-pages branch of your repository will be publicly available via GitHub pages via http://<username>.github.io/<projectname>.

gh-pages branch is special branch, which content is automatically published by mechanism called Github Pages.

Here is an example. I've created private repo private_with_pages. You can not see it because, well, it's private. Nevertheless, file index.html, stored in branch gh-pages, is publicly available.

Now in settings of the github repository I see message “Caution: This repository is private but the published site will be public.”

According to this help page the only way to disable this feature is remove gh-pages branch from github. How to remove remote branch is described here.

See related question: Private pages for a private Github repo