You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
... still working on this....
Mostly these changes replace the word "enterprise" for "organization" when talking about configuration at the enterprise level.
Copy file name to clipboardExpand all lines: tooling/github-configuration.md
+44-27Lines changed: 44 additions & 27 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,5 +1,6 @@
1
1
# GitHub InnerSource Configuration
2
2
3
+
-[Layering Source Control Management Configurations](#layering-source-control-management-configurations)
3
4
-[Enterprise Setting](#enterprise-setting)
4
5
-[Repository policies](#repository-policies)
5
6
-[Base permissions](#base-permissions)
@@ -14,47 +15,37 @@
14
15
-[GitHub Connect - Server statistics](#github-connect---server-statistics)
15
16
-[Resources](#resources)
16
17
17
-
## Enterprise Setting
18
18
19
-
####Layering Source Control Management Configurations
19
+
## Layering Source Control Management Configurations
20
20
In GitHub, configuration can be set at different levels. In general, configuration set at the enterprise level will overrule or constrain organizational configuration which will do the same for repository level configuration.
21
-
Sometimes a configuration settings disables options at lower levels. Other times a configuration setting at the enterprise or organization level only sets the default option that is prechecked. It can be changed by a user who takes an additional action at the repository level. Due the overlapping nature of the policies, it is important to pick the right layer to apply a configuration.
22
-
In general, use caution when picking configuration settings at the enterprise or organization level that restrict reasonable choies at the repository level. Nudging with defaults can be better than disabling options enterirely.
21
+
Sometimes a configuration settings disables options at lower levels. Other times a configuration setting at the enterprise or organization level only sets the default option that is prechecked. A user who takes an additional actions can pick a different configuration at the repository level if only the default option is set. Due the overlapping nature of the policies, it is important to pick the right layer to apply a configuration: enterprise, organization, or repository.
22
+
In general, use caution when picking configuration settings at the enterprise or organization level that restrict reasonable choies at the repository level. These can add friction to the developer experience and even promot shadow IT in the worse cases. Nudging with defaults can be better in some circumstances than disabling options enterirely.
23
23
If you have repositories that must be extremely tightly controlled, consider mandating that type of repository go into special organizations set up for those constraints instead of trying to apply those constrains on all enterprise code.
24
24
25
-
### Repository policies set an Organization Level
25
+
## Enterprise Setting
26
+
27
+
### Repository policies set at Enterprise Level
28
+
If your GitHub organization is part of an enterprise on GitHub, there are enterprise level configuration settings that administrators of that Enterprise can change. If you are not an enterprise admin, you will likely not even be able to see these settings.
26
29
27
30
#### Base permissions
28
31
29
-
[Base permissions](https://docs.github.com/en/organizations/managing-organization-settings/managing-base-permissions-for-projects) are permissions that are applied to all of an organization’s repositories from the organization level. They are given to all members of the organization, excluding outside collaborators. Since organization members can have permissions from multiple sources, members and collaborators who have been granted a higher level of access than the base permissions will retain their higher permission privileges. When setting up the base repository permissions to promote InnerSource within your organization on GitHub, it's important to strike a balance between transparency, collaboration, and respecting constraints and limitations. Here are some best practices for setting up repository permissions:
32
+
[Base permissions](https://docs.github.com/en/organizations/managing-organization-settings/managing-base-permissions-for-projects) are permissions that are applied to all of an organization’s repositories from the organization level. They are given to all members of the organization, excluding outside collaborators. Since enterprise members can have permissions from multiple sources, members and collaborators who have been granted a higher level of access than the base permissions will retain their higher permission privileges. For example, if someone was granted write access at the repository level, but their enteprise base permissions only give them read access, they will still return write access. When setting up the base repository permissions to promote InnerSource within your enterprise on GitHub, it's important to strike a balance between transparency, collaboration, and respecting constraints and limitations.
30
33
31
34
| Repository Permission | Description |
32
35
| --- | --- |
33
-
| No Permission | Selecting this means organization membership gives users no permissions to read, write, or admin any repositories in the organization. If not compared with other methods of extending permissions, especially read permissions, this will result in making the organization's repositories hard to discovery, find, or collaborate. |
36
+
| No Policy | Repository read, write, admin permissions are defined at organization or repository level entirely. This option provides for the most flexibility for projects with unique permission needs. |
37
+
| No Permission | Selecting this means enterprise membership gives users no built-in permissions to read, write, or admin any repositories in the organization.
34
38
| Read | All organization members can view the repository's contents, promoting transparency and allowing employees to learn from each other's work. |
35
39
| Write | All organization members will have the "Write" permission. They will able to make commit contributions to the repositories and approve pull requests. |
36
40
| Admin | All organization members will have "Admin" permissions to all repositories in the organization, including clone, pull, and add new collaborators. |
37
41
38
-
"No Permission" or "READ" are common options to choose. Selecting "Read" gives every member of the organization read permissions to EVERY repositories in the organization, even if the repositories visibility is set to private. Many times this is fine and the preferrable option.
39
-
40
-
##### Enabling wide and narrow sharing from a single organization.
41
-
If you want to enable both wide and narrow sharing within a single organization, then the base permissions setting of "No Permission" combined with two other configurations might be preferrable.
42
-
43
-
In situations where it is important to have a single organization be able to hold:
44
-
- Repositories shared to anyone in the enterprise
45
-
- Repositories shared to anyone in the organization
46
-
- Repositories shared to a more limited subset of users
47
-
48
-
... Then 3 settings should be combined:
49
-
1. "No Permissions" should be selected for the base repository permissions for an organization.
50
-
2. Ensure repositories can opt into sharing with everyone in the enterprise by giving repository owners the permission to pick "internal visibility" upon creation at a later date. This is normally available by default, but it can be disabled at the organization or enterprise level. Optionally, there is an organizational policy to set "internal visibility" as the default visibility. Default means repository owners can select to have the repository be private but internal is the pre-checked selection.
51
-
3. To ensure it is low friction for all organization members to have READ access for most repositories in the organization, set up a GitHub team that mirrors that organization's membership. Repository owners that want to share READ permissions to their repository with any member of the organization, can add that team to their repository.
42
+
*To avoid confusion, please note that "No Policy" is an option at the enterprise level, but it is not an option at the organization level.*
52
43
44
+
"No Policy" or "READ" are common choices.
45
+
Selecting "Read" gives every member of the enterprise read permissions to EVERY repository. There are circumstances where this is acceptable based on who the gets membership to the enterprise and what type of code is being stored there. In many other cases, "No Policy" is the best option as it allows for the most flexibility. In large enterprises with many organiations, different organizations will want different base repository permissions, "No Policy" enables each organization to pick their own configuration.
53
46
54
47
#### Repository creation
55
-
56
-
Allowing most users to create only Private or Internal type repositories is a measure often taken.
57
-
It's important to consider your organization's policies and the nature of the projects when deciding on repository creation settings. Striking a balance between encouraging collaboration and managing access to sensitive information is crucial in an InnerSource context. Providing options for members to create repositories, while defining guidelines and permissions, can support innovation and knowledge sharing within the organization.
48
+
Enterprise configuration on repository creation restricts who can create a new repository and with what visibility across the entire enterprise. There is also an organization-level configuration setting that controls repository creation within each organization.
@@ -65,21 +56,23 @@ It's important to consider your organization's policies and the nature of the pr
65
56
| ┣ Private | Members can create private repositories accessible only to invited collaborators. | Encourage team-specific or sensitive projects that require restricted access. |
66
57
| ┗ Internal | Members can create internal repositories visible to organization members. | Foster collaboration and knowledge sharing within the organization while keeping information proprietary. |
67
58
59
+
##### Minimizing accidental public disclosure and enabling quick InnerSource via forking
68
60
Restricting who can make a repository public or adding process around that workflow is an important control to minimize the risk of code being made public that should not be made public.
69
-
70
-
It is worth noting here that some companies may have entirely separate Github instances for different combinations of public facing code, private code collaboration with external partners, internal code collaboration across the entire company, or code collaboration within a subset of the company. In the situation where a company has one GitHub instance for internal code and one or more organizations on the public-facing github.com for open-source, they might turn off the ability to create any repositories under public visibility in the GitHub Enterprise instance specifically for internal code. This has the additional benefit of making it less risky to let repository owners change their repository visibility themselves and less risky to enable repository forking.
61
+
Allowing most users to create only Private or Internal visibility repositories is a measure sometimes taken for this reason. Sometimes creation of public facing repositories is limited to a group of admins. Other times public-facing code and internal code development is done on entirely separate GitHub Instances. In the situation where a company has one GitHub instance for internal code and one or more organizations on the public-facing github.com for open-source, they might turn off the ability to create any repositories under public visibility in the GitHub Enterprise instance specifically for internal code. This has the additional benefit of making it less risky to let repository owners change their repository visibility themselves and less risky to enable repository forking.
71
62
72
63
**Having different GitHub instances for public-facing and internal code can reduce risk of accidental disclosures.**
73
64
74
65
Some companies also have add-on systems that handle repository creation. This can be useful if an enterprise wnats to capture additional information from repository creators at time of repository creation, programmatically inject standard files or create metadata in other IT systems at the same time.
75
66
67
+
It's important to consider your organization's policies and the nature of the projects when deciding on repository creation settings. Striking a balance between encouraging collaboration and managing access to sensitive information is crucial in an InnerSource context. Providing options for members to create repositories, while defining guidelines and permissions, can support innovation and knowledge sharing within the organization.
68
+
76
69
#### Repository forking (Private / Internal)
77
70
78
71
The decision to allow or restrict repository forking depends on your organization's policies and the level of control and security required for your codebase. Enabling forking generally promotes collaboration, allows for experimentation, and encourages the InnerSource principles of sharing and contribution. However, it's important to assess the risks and consider any regulatory or compliance requirements before allowing forking in private and internal repositories.
| No Policy |Organizations choose whether to allow private and internal repositories to be forked. | Provide flexibility for forking private and internal repositories based on project needs. This allows teams to collaborate and contribute to codebases while maintaining control over access and security. |
75
+
| No Policy |If no policy set at Enteprise-level, then organizations choose whether to allow private and internal repositories to be forked. | Provide flexibility for forking private and internal repositories based on project needs. This allows teams to collaborate and contribute to codebases while maintaining control over access and security. |
83
76
| Enabled | Organizations always allow private and internal repositories to be forked. | Encourage forking of private and internal repositories to promote collaboration and foster a culture of contribution. Forking enables individuals or teams to make modifications and propose changes without directly impacting the original codebase. |
84
77
| Disabled | Organizations never allow private or internal repositories to be forked. | In an InnerSource context, it is recommended to enable forking to encourage collaboration, knowledge sharing, and innovation. Forking allows individuals or teams to experiment, improve, and contribute without directly modifying the original codebase. |
85
78
@@ -88,6 +81,14 @@ The decision to allow or restrict repository forking depends on your organizatio
88
81
### Member privileges
89
82
90
83
#### Base permissions
84
+
The difference between base permissions at organization level vs. enterprise level described above on this page is there is no longer a "No Policy" option.
85
+
86
+
| Repository Permission | Description |
87
+
| --- | --- |
88
+
| No Permission | Selecting this means organization membership gives users no permissions to read, write, or admin any repositories in the organization. If not compared with other methods of extending permissions, especially read permissions, this will result in making the organization's repositories hard to discovery, find, or collaborate. |
89
+
| Read | All organization members can view the repository's contents, promoting transparency and allowing employees to learn from each other's work. |
90
+
| Write | All organization members will have the "Write" permission. They will able to make commit contributions to the repositories and approve pull requests. |
91
+
| Admin | All organization members will have "Admin" permissions to all repositories in the organization, including clone, pull, and add new collaborators. |
91
92
92
93
At the Organization Level, you can further refine repository permissions within specific organizations. This allows you to tailor access control to each organization's unique requirements. Some recommended practices for repository permission settings at the Organization Level include:
93
94
@@ -96,6 +97,18 @@ At the Organization Level, you can further refine repository permissions within
96
97
- Granting write access to individuals or teams actively participating in InnerSource projects, who have demonstrated the necessary skills and knowledge.
97
98
- Designating a select group with admin permissions responsible for managing repositories, overseeing InnerSource initiatives, and maintaining repository settings.
98
99
100
+
##### Enabling wide and narrow sharing from a single organization using base permissions in combination with other configuration
101
+
If you want to enable both wide and narrow sharing within a single organization, then the base permissions setting of "No Permission" combined with two other configurations might be preferrable.
102
+
In situations where it is important to have a single organization be able to hold all of the following:
103
+
- Repositories shared to anyone in the enterprise
104
+
- Repositories shared to anyone in the organization but not anyone in the enterprise
105
+
- Repositories shared only to a more limited subset of users
106
+
107
+
... Then 3 settings should be combined:
108
+
1. "No Permissions" should be selected for the base repository permissions for an organization.
109
+
2. Ensure repositories can opt into sharing with everyone in the enterprise by giving repository owners the permission to pick "internal visibility" upon creation at a later date. This is normally available by default, but it can be disabled at the organization or enterprise level. Optionally, there is an organizational policy to set "internal visibility" as the default visibility. Default means repository owners can select to have the repository be private but internal is the pre-checked selection.
110
+
3. To ensure it is low friction for all organization members to have READ access for most repositories in the organization, set up a GitHub team that mirrors that organization's membership. Repository owners that want to share READ permissions to their repository with any member of the organization, can add that team to their repository.
111
+
99
112
#### Repository creation
100
113
101
114
When configuring repository creation settings at the Organization Level, it's essential to align them with your organization's goals, policies, and security requirements. Allowing members to create repositories with specific types (public, private, internal) provides flexibility and promotes InnerSource practices.
@@ -112,6 +125,10 @@ When making a decision about forking from private and internal repositories for
112
125
| Project Scope and Collaboration Scope | Determine the scope of the InnerSource project and the desired collaboration boundaries. If the project involves cross-functional teams or collaboration with external contributors, allowing forking from private and internal repositories may promote broader engagement and involvement. |
113
126
| Internal Policies and Compliance | Consider any internal policies, regulations, or compliance requirements that may impact the decision to allow forking from private and internal repositories. Ensure that the practice aligns with your organization's guidelines and legal obligations. |
0 commit comments