We have quite a few repositories in our organization, and we are constantly adding more. We also have a few different teams - Superusers, Developers, Contractors, etc. I want every newly created repository to automatically assume default permissions, like Superusers get automatic admin access to the repo, Contractors group gets just read access, etc. Is it possible to set that up? Is there a setting somewhere that I missed? And if there's not a way to do that, is there a way to batch apply a permission for one group to all repos within an account?
Update June 2017: with nested teams, you now can associate permissions to sub-teams, which could help group of users to have the correct right regarding a repo part of the organization.
Original answer (Apr. 2016)
Is it possible to set that up?
I did not see a way through the native GitHub web GUI administration pages.
And "permission" is deprecated when creating a team.
What you could consider though is a webhook listening for a an event, like a repository event.
That script listening to the event could then use the Team API to update the permission of the teams (according to their names) for the newly created repo.
Related
I am using Github Enterprise and would like to give other teams access to my repository.
However I don't want those teams to see the repository content, I want them to be able to see ONLY a specific file or a subdirectory (and its content).
Is that possible ?
You'll find documentation on access permissions here. The access permission model is different for repositories owned by user accounts versus those owned by organization accounts. However, in neither of those models is there a provision for providing read access to only a part of a repository. Read permission grants read access to the entire repository.
There are probably a number of creative ways to achieve the effect you're after. One would be to set up an automated process that clones your first repository, copies the files or subdirectory of interest to a second local repository, and then pushes any changes in that second repository back to GitHub Enterprise. You'd provide your other teams read access to that second repository, but not the first.
In GitHub or GitLab, to invite a collaborator, the administrator usually asks the collaborator's email.
Instead, how can the administrator allow anyone to request access through clicking a button on the GitHub / GitLab website?
I remember this was possible on at least one of these websites.
In GitLab, you can click on request access:
An email is sent to the most recently active project maintainers. Up to ten project maintainers are notified. Any project maintainer can approve or decline the request.
If a project does not have any maintainers, the notification is sent to the most recently active owners of the project’s group.
If you change your mind before your request is approved, select Withdraw Access Request
The OP Dean adds in the comments:
The maintainer can enable this by making the repo public but with visibility restricted to only project members.
With GitLab 15.8 (January 2023), that will trigger:
Create To-Dos for group owners on access request
Previously, access requests to a group appeared only in the Access requests tab in the Group members section.
Now, access requests also appear in the group owner’s To-Do List.
As a group owner, having access requests added directly to your To-Do List can help you manage your tasks more efficiently and add members quicker.
See Documentation and Issue.
And, still with See GitLab 15.8 (January 2023):
Create To-Dos for project owners on access requests
Previously, access requests to a project appeared only in the Access requests tab in the Project members section.
Now, access requests also appear in the project owner’s To-Do List.
As a project owner, having access requests added directly to your To-Do List can help you manage your tasks more efficiently and add members quicker.
See Documentation and Issue.
is there a way to limit new repositories creation for all users except for admins in an organization?
I found this article on Github, but this restricts the repository type. I am looking for a way to prevent users to create any new repository, unless an admin in the same organization approved.
Is it even possible with Github?
You were close to the solution. There is actually a link to another section in the documentation you shared named Enforcing repository management policies in your enterprise account with a specific section Enforcing a policy on creating repositories.
There, you'll see that you can choose whether members can create repositories in your organization.
Here is the step related to it:
Is it possible to limit who can create repositories in a Github organization. From this article: https://help.github.com/en/enterprise/2.14/user/articles/restricting-repository-creation-in-your-organization it seems like the options are basically owners or everyone. Is there a middle ground?
Making someone a Github owner is a serious permission so we really don't want to give that out just so that someone can make a repo. On the other hand allowing everyone in the organization the ability (contractors, non-technical, read-only roles) the permission to make repos seems too broad.
Has anyone come up with a better solution for this?
One workaround would be to setup a webhook.
That means having a listener for a repository event, which does include the owner: If said owner is not part of an admin list, the listener could:
send back an email to the owner of the newly created repostory, explaining that creation has been denied
delete the repository (through the GitHub API)
Is there a way to know which people have merge privileges on a public GitHub repository. If the owner is a user and not an organization, then at least I know one maintainer, but it's possible that there are other users with merge rights. Also, if the owner is an organization it is possible, that not all members of the organization have merge rights. So is there a way to find the exact maintainers?
Team privileges are not public in general. Even an organization-membership is not public since the publicity must be chosen by the given member, as the Documentation states:
,,By default, your organization membership visibility is set to private. You can choose to publicize individual organization memberships on your profile."
This partly applies for their implementation of CODEOWNERS, too. If it is up to date the given source file is annotated with a link to its responsible GitHub user.
However there's normally no need to know the individual maintainers of a repository (since every interaction with repos you're able to access is covered by the GitHub UI, which also assures that somebody takes care about your request). If your attention is about a public repository you might search the commits for accepted pull-request. But in that case you would preferably fork the repo and just generate pull-requests on your own.
You are even not able to contact an organization via GitHub - try to find their official website, contact them and ask for their maintainers if you need that information.
GitHub (since July 2017) now officially supports "code owners" for projects. Code owners are individuals or teams that are responsible for code in a repository.
Project maintainers can add a CODEOWNERS file to their repository to make it easier for others to identify code owners and have code owners be notified to review Issues and Pull Requests.
See the announcement post and help article for more info.
Just go to the team members tab within your repo, on the right it will describe what type of member they are. Ex: member or owner.