From 53fd5ba1cd438d0f24a965e62c169e7a962b80af Mon Sep 17 00:00:00 2001 From: LouPritch <94551508+LouPritch@users.noreply.github.com> Date: Tue, 13 Dec 2022 17:11:47 +0000 Subject: [PATCH] Update security-repository.md The guidance around Teams setup is incorrect. - Child teams cannot have their visibility set to secret. - CODEOWNERS file will not work with secret teams. --- practices/security-repository.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/practices/security-repository.md b/practices/security-repository.md index 0847e735..0f2b3005 100644 --- a/practices/security-repository.md +++ b/practices/security-repository.md @@ -38,8 +38,8 @@ This guide lays out security best practice for Github repositories. This set of Because of baseline visibility configurations, you must setup Github teams in order to provide team members access to repos. The minimum recommended setup is as follows: - Create one team with the name of your programme (e.g. `Engineering Quality Framework`). Add all required members to this team. -- Create one child team within the team, for admins only (e.g. `Engineering Quality Framework Admins`). Add admins only to this team. Set the visibility of the team to `Secret`. -- Create a second child team, for code owners (e.g. `Engineering Quality Framework Code Owners`). Add relevant members to this team, and reference in the CODEOWNERS file (example [here](https://github.com/NHSDigital/software-engineering-quality-framework/blob/master/.github/CODEOWNERS)). Set the visibility of the team to `Secret`. +- Create another team, for admins only (e.g. `Engineering Quality Framework Admins`). Add admins only to this team. Set the visibility of the team to `Secret`. +- Create another team, for code owners (e.g. `Engineering Quality Framework Code Owners`). Set the parent of this team to be your programme team. Add relevant members to this team, and reference in the CODEOWNERS file (example [here](https://github.com/NHSDigital/software-engineering-quality-framework/blob/master/.github/CODEOWNERS)). - For each repo in your programme (e.g. `software-engineering-quality-framework`), under the `Manage Access` option in `Settings`, set the general team to have `Write` access and the admins team to have `Admin` access. Depending on your use case, you may want to create additional teams (e.g. a read-only access team, or different teams granting access to different projects). This is welcomed by the framework, as long as the teams provide clarity on the role they encompass, remain consistent and are applied consistently to your repos.