How to leave a message for a github.com user

Although GitHub removed the private messaging feature, there's still an alternative.

GitHub host git repositories. If the user you're willing to communicate with has ever committed some code, there are good chances you may reach your goal. Indeed, within each commit is stored some information about the author of the change or the one who accepted it.

Provided you're really dying to exchange with user user_test

• Display the public activity page of the user: https://github.com/user_test?tab=activity
• Search for an event stating "user_test pushed to [branch] at [repository]". There are usually good chances, they may have pushed one of his own commits. Ensure this is the case by clicking on the "View comparison..." link and make sure the user is listed as one of the committers.
• Clone on your local machine the repository they pushed to: git clone https://github.com/..../repository.git
• Checkout the branch they pushed to: git checkout [branch]
• Display the latest commits: git log -50

As a committer/author, an email should be displayed along with the commit data.

Note: Every warning related to unsolicited email should apply there. Do not spam.

This method was working as of Feb 2024

1. Copy and paste the next line into your browser (feel free to bookmark it): https://api.github.com/users/xxxxxxx/events/public
2. Find the GitHub username for which you want the email. Replace the xxxxxxx in the URL with the person's GitHub username. Hit Enter.
3. Press Ctrl+F and search for “email”.

As suggested by qbolec, the above steps can be done by using this snippet:

<input id=username type="text" placeholder="github username or repo link">
<button onclick="fetch(`https://api.github.com/users/${username.value.replace(/^.*com[/]([^/]*).*$/,'$1')}/events/public`).then(e=> e.json()).then(e => [...new Set([].concat.apply([],e.filter(x => x.type==='PushEvent').map(x => x.payload.commits.map(c => c.author.email)))).values()]).then(x => results.innerText = x)">GO</button>
<div id=results></div>

Source: Matthew Ferree @ Sourcecon

Simply create a dummy repo, open a new issue and use @xxxxx to notify the affected user.

If user has notification via e-mail enabled they will get an e-mail, if not they will notice on next login.

No need to search for e-mail address in commits or activity stream and privacy is respected.

For lazy people, like me, a snippet based on Nikhil's solution

<input id=username type="text" placeholder="github username or repo link">
<button onclick="fetch(`https://api.github.com/users/${username.value.replace(/^.*com[/]([^/]*).*$/,'$1')}/events/public`).then(e=> e.json()).then(e => [...new Set([].concat.apply([],e.filter(x => x.type==='PushEvent').map(x => x.payload.commits.map(c => c.author.email)))).values()]).then(x => results.innerText = x)">GO</button>
<div id=results></div>

Here is another way:

• Browse someone's commit history (Click commits which is next to branch to see the whole commit history)

• Click the commit that with the person's username because there might be so many of them

• Then you should see the web address has a hash concatenated to the URL. Add .patch to this commit URL

• You will probably see the person's email address there

Example: https://github.com/[username]/[reponame]/commit/[hash].patch

Source: Chris Herron @ Sourcecon

Github said on April 3rd 2012 :

Today we're removing two features. They've been gathering dust for a while and it's time to throw them out : Fork Queue & Private Messaging

Source

Besides the removal of the github messaging service, usage was often not necessary due to many githubbers communicating with- and advocating twitter.

The advantage is that there is:

• full transparency
• better coverage
• better search features for tweets
• better archiving, for instance by the US Library of Congress

It is probably no coincidence that stackoverflow doesn't allow private messaging either, to ensure full transparency. The entire messaging issue is thoroughly discussed on meta-stackoverflow here.

Does GitHub have this social feature?

If the commit email is kept private, GitHub now (July 2020) proposes:

Users and organizations can now add Twitter usernames to their GitHub profiles

You can now add your Twitter username to your GitHub profile directly from your profile page, via profile settings, and also the REST API.

We've also added the latest changes:

• Organization admins can now add Twitter usernames to their profile via organization profile settings and the REST API.
• All users are now able to see Twitter usernames on user and organization profiles, as well as via the REST and GraphQL APIs.
• When sponsorable maintainers and organizations add Twitter usernames to their profiles, we'll encourage new sponsors to include that Twitter username when they share their sponsorships on Twitter.

That could be a workaround to leave a message to a GitHub user.

Simplest solution that worked for me very well is just to put the username of that particular user or repository link of corresponding user!

<input id=username type="text" placeholder="Github Username or Repo link">
<button onclick="fetch(`https://api.github.com/users/${username.value.replace(/^.*com[/]([^/]*).*$/,'$1')}/events/public`).then(e=> e.json()).then(e => [...new Set([].concat.apply([],e.filter(x => x.type==='PushEvent').map(x => x.payload.commits.map(c => c.author.email)))).values()]).then(x => results.innerText = x)">GO, Get email!</button>
<div id=results></div>

Use (and abuse) Private Vulnerability Reporting (Security Advisories)

This feature was originally introduced to allow safely reporting security issues with a repository: https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability

This feature requires per-repository opt-in, and will therefore not be possible for the vast majority of repositories.

However, if you wish to allow yourself to be privately contacted, a natural convention would be to enable security advisories in your own:

• "home repository" https://github.com/<username>/<username>, e.g. https://github.com/cirosantilli/cirosantilli
• github pages home repository https://github.com/<username>/<username>.github.io e.g. https://github.com/cirosantilli/cirosantilli.github.io

To enable those:

• click the security tab of the repository: https://github.com/cirosantilli/cirosantilli/security
• Enable vulnerability reporting
• Private vulnerability reporting -> Enable

Once this is enabled, when other users visit: https://github.com/cirosantilli/cirosantilli/security they will see:

• a "Report a vulnerability button".
• a list of existing vulnerabilities

It is currently very confusing that if your a logged in as the owner, you do not see this page, but you can confirm by visiting the page logged off on a private tab.

Once a vulnerability is opened, it acts basically as a private GitHub issue, where both users can comment to communicate.

The repo owner can then decide to publish the vulnerability publicly at any time, at which point it will appear on the list of vulnerabilities of the repository.

Once published, it becomes impossible to comment on the vulnerability however. But the repo owner can still edit the report title and body details.

For a casual not really a vulnerability conversation this requires:

• setting a dummy affects/fixed version. 0/1 will do just fine
• not request a CVE to not make GitHub admins mad at you, as apparently this opens a review on GitHub's side

In summary, this is too much work for the vast majority of users, and usage for private messaging will be rare. Opt-in is inevitable however for privacy control even if something more dedicated comes some day, so it will always be niche no matter what. But still, it's one way. I've enabled it on my home repos.

You can get the email address this way:

• First, find the last commit (or a commit) of the user you want to contact

• Second, run:

  curl -s 'https://api.github.com/repos/$owner/$project/commits' | jq '.[0] | .commit.author.email'
  

It will output the email address of the last commiter .

For example, you can this way extract the 15 email of the 15 last commiters of chromium project :

curl -s 'https://api.github.com/repos/chromium/chromium/commits?per_page=15' | jq '.[] | .commit.author.email'

Use the github api to fetch user details and more. Using Python:

import requests
import json

headers = {
    'Accept': 'application/vnd.github+json',
    'Authorization': 'Bearer <YOUR-TOKEN>',
    'X-GitHub-Api-Version': '2022-11-28',
}

response = requests.get('https://api.github.com/users/USERNAME', headers=headers)
print(response.text)

If it's not in the user data, use the commit api:

response = json.loads(requests.get('https://api.github.com/repos/OWNER/REPO/commits', headers=headers).content)
print(response[0]) # just get first if only one dev

To get a auth token, go to User-Settings->'Developer Settings'->'Personal Access Tokens', then create a token and insert into python script.