Which sequence best describes the lifecycle of a security advisory in GHAS?

Advisories in GHAS are meant to be handled with a private, coordinated workflow before going public. The best sequence starts with drafting the advisory, then privately discussing its potential impact and scope with the team and, if needed, affected parties. After that, a fix is developed and kept in a private fork or branch so the patch can be verified in isolation. Only once the remedy is ready and the details are accurate should the advisory be published to alert the community, share remediation steps, and coordinate disclosure. This order protects users from active exploitation while ensuring the public has clear, actionable guidance. Publishing immediately without a vetted fix can expose users to risk, which is why this isn’t the right approach. Leaving the advisory as a draft forever prevents the community from learning about and mitigating the issue, and discussing privately with no publication fails to provide the necessary transparency and remediation coordination.