You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: tooling/github-configuration.md
+34-7Lines changed: 34 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -16,21 +16,40 @@
16
16
17
17
## Enterprise Setting
18
18
19
-
### Repository policies
19
+
#### Layering Source Control Management Configurations
20
+
In GitHub, configuration can be set at different levels. In general, configuration set at the enterprise level will overrule or constrain organizational configuration which will do the same for repository level configuration.
21
+
Sometimes a configuration settings disables options at lower levels. Other times a configuration setting at the enterprise or organization level only sets the default option that is prechecked. It can be changed by a user who takes an additional action at the repository level. Due the overlapping nature of the policies, it is important to pick the right layer to apply a configuration.
22
+
In general, use caution when picking configuration settings at the enterprise or organization level that restrict reasonable choies at the repository level. Nudging with defaults can be better than disabling options enterirely.
23
+
If you have repositories that must be extremely tightly controlled, consider mandating that type of repository go into special organizations set up for those constraints instead of trying to apply those constrains on all enterprise code.
24
+
25
+
### Repository policies set an Organization Level
20
26
21
27
#### Base permissions
22
28
23
-
Base permissions are permissions that are applied to an organization’s repositories give to all members, excluding outside collaborators. Since organization members can have permissions from multiple sources, members and collaborators who have been granted a higher level of access than the base permissions will retain their higher permission privileges. When setting up the base repository permissions to promote InnerSource within your organization on GitHub, it's important to strike a balance between transparency, collaboration, and respecting constraints and limitations. Here are some best practices for setting up repository permissions:
29
+
[Base permissions](https://docs.github.com/en/organizations/managing-organization-settings/managing-base-permissions-for-projects) are permissions that are applied to all of an organization’s repositories from the organization level. They are given to all members of the organization, excluding outside collaborators. Since organization members can have permissions from multiple sources, members and collaborators who have been granted a higher level of access than the base permissions will retain their higher permission privileges. When setting up the base repository permissions to promote InnerSource within your organization on GitHub, it's important to strike a balance between transparency, collaboration, and respecting constraints and limitations. Here are some best practices for setting up repository permissions:
24
30
25
31
| Repository Permission | Description |
26
32
| --- | --- |
27
-
| No Policy | Inherit permissions from the organization or parent repository. Provides flexibility for projects with unique permission needs. |
28
-
| No Permission | Not recommended if any of the repositories in that org might benefit from collaboration. Completely restricts access to the repository, hindering collaboration and knowledge sharing. Repository access requires finding and talking to org owners. The exception is if there is another GitHub team created that automatically includes all members of the organization. In that case, repository owners can optionally add that team for READ access to their repository, which enables both easy visiblity to all members of an organization to any repository that selects for that but still allows for the possibility of a repository under that organization that can only be seen by a few people. |
33
+
| No Permission | Selecting this means organization membership gives users no permissions to read, write, or admin any repositories in the organization. If not compared with other methods of extending permissions, especially read permissions, this will result in making the organization's repositories hard to discovery, find, or collaborate. |
29
34
| Read | All organization members can view the repository's contents, promoting transparency and allowing employees to learn from each other's work. |
30
-
| Write | Specific individuals or teams with the "Write" permission can make contributions to the repository. Grant to active InnerSource participants with relevant skills. |
31
-
| Admin | Limited to a select group responsible for managing the repository and overseeing InnerSource initiatives. Handles repository configuration and review processes. |
35
+
| Write | All organization members will have the "Write" permission. They will able to make commit contributions to the repositories and approve pull requests. |
36
+
| Admin | All organization members will have "Admin" permissions to all repositories in the organization, including clone, pull, and add new collaborators. |
37
+
38
+
"No Permission" or "READ" are common options to choose. Selecting "Read" gives every member of the organization read permissions to EVERY repositories in the organization, even if the repositories visibility is set to private. Many times this is fine and the preferrable option.
39
+
40
+
##### Enabling wide and narrow sharing from a single organization.
41
+
If you want to enable both wide and narrow sharing within a single organization, then the base permissions setting of "No Permission" combined with two other configurations might be preferrable.
42
+
43
+
In situations where it is important to have a single organization be able to hold:
44
+
- Repositories shared to anyone in the enterprise
45
+
- Repositories shared to anyone in the organization
46
+
- Repositories shared to a more limited subset of users
47
+
48
+
... Then 3 settings should be combined:
49
+
1. "No Permissions" should be selected for the base repository permissions for an organization.
50
+
2. Ensure repositories can opt into sharing with everyone in the enterprise by giving repository owners the permission to pick "internal visibility" upon creation at a later date. This is normally available by default, but it can be disabled at the organization or enterprise level. Optionally, there is an organizational policy to set "internal visibility" as the default visibility. Default means repository owners can select to have the repository be private but internal is the pre-checked selection.
51
+
3. To ensure it is low friction for all organization members to have READ access for most repositories in the organization, set up a GitHub team that mirrors that organization's membership. Repository owners that want to share READ permissions to their repository with any member of the organization, can add that team to their repository.
32
52
33
-
It is better to choose No Policy and let the user choose, but it can also a good idea to consciously choose Read permissions if it is easy for developers to create repositories another organization when they need more privacy.
34
53
35
54
#### Repository creation
36
55
@@ -46,6 +65,14 @@ It's important to consider your organization's policies and the nature of the pr
46
65
| ┣ Private | Members can create private repositories accessible only to invited collaborators. | Encourage team-specific or sensitive projects that require restricted access. |
47
66
| ┗ Internal | Members can create internal repositories visible to organization members. | Foster collaboration and knowledge sharing within the organization while keeping information proprietary. |
48
67
68
+
Restricting who can make a repository public or adding process around that workflow is an important control to minimize the risk of code being made public that should not be made public.
69
+
70
+
It is worth noting here that some companies may have entirely separate Github instances for different combinations of public facing code, private code collaboration with external partners, internal code collaboration across the entire company, or code collaboration within a subset of the company. In the situation where a company has one GitHub instance for internal code and one or more organizations on the public-facing github.com for open-source, they might turn off the ability to create any repositories under public visibility in the GitHub Enterprise instance specifically for internal code. This has the additional benefit of making it less risky to let repository owners change their repository visibility themselves and less risky to enable repository forking.
71
+
72
+
**Having different GitHub instances for public-facing and internal code can reduce risk of accidental disclosures.**
73
+
74
+
Some companies also have add-on systems that handle repository creation. This can be useful if an enterprise wnats to capture additional information from repository creators at time of repository creation, programmatically inject standard files or create metadata in other IT systems at the same time.
75
+
49
76
#### Repository forking (Private / Internal)
50
77
51
78
The decision to allow or restrict repository forking depends on your organization's policies and the level of control and security required for your codebase. Enabling forking generally promotes collaboration, allows for experimentation, and encourages the InnerSource principles of sharing and contribution. However, it's important to assess the risks and consider any regulatory or compliance requirements before allowing forking in private and internal repositories.
0 commit comments