It's by design that anyone can access deleted or private repositories on GitHub.

GitHub allows anyone to access forks and repositories that have been deleted or set to private, and this behavior is by design and not a flaw, open source security firm Truffle Security said in a blog post.

Anyone can Access Deleted and Private Repository Data on GitHub ◆ Truffle Security Co.

https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github

Consider a typical workflow on GitHub: create a new fork, commit, delete the fork.

At this time, anyone can check the contents of the fork that was supposed to be deleted. Truffle Security investigated the repository of a major AI company and found 40 valid API keys in deleted forks. It seems that many companies temporarily hardcode the API keys for verification after forking.

Another case to consider is when you fork a repository, make new commits to the original repository, or delete the original repository.

At first glance, it may seem impossible to access commits made after the fork, but they are permanently accessible through the repository network mechanism.

Furthermore, when open sourcing a new tool, you often have to go through the steps of creating a private repository for the new tool, creating a private fork, and then changing the repository to public while keeping the fork private.

Again, all commits are publicly accessible whether the fork is private or not.

To access such a 'hidden commit,' you simply need to get the commit hash of the commit in question.

You can view a commit by entering the commit hash directly into the repository URL.

When Truffle Security reported this as a bug to GitHub, GitHub responded that it was “as designed.” In fact, GitHub’s documentation states that “commits to any repository in a fork network are accessible to all repositories in the fork network, including the upstream repository.”

Truffle Security summarized that 'even private repositories may have their commit contents publicly available,' and 'deleting a repository or fork does not actually delete the commit data,' and pointed out that GitHub's specifications are 'design flaws.' Many GitHub users do not understand how the repository network works, which reduces security.