Closed Nimphal closed 1 year ago
Github organisation repo roles info: https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization and Enterprise: https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-peoples-access-to-your-organization-with-roles/managing-custom-repository-roles-for-an-organization and https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-teams-and-people-with-access-to-your-repository
API to check team permissions: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-teams-and-people-with-access-to-your-repository
API to update team permissions: https://docs.github.com/en/rest/reference/teams#add-or-update-team-repository-permissions
Custom Repo roles: https://docs.github.com/en/rest/reference/orgs#list-custom-repository-roles-in-an-organization
Can do a http put to the REST GH API and set the custom role for a user "A custom repository role, if the owning organisation has defined any."
get the custom rules within the organisation
curl \ -H "Authorization: bearer PAT" \ -H "Accept: application/vnd.github.v3+json" \ https://api.github.com/organizations/2203574/custom_roles
response: { "total_count": 0, "custom_roles": [
] }
This returns data for each repo a team has access to:
curl \ -H "Authorization: bearer PAT" \ -H "Accept: application/vnd.github.v3+json" \ https://api.github.com/organizations/2203574/team/4336307/repos
Where 2203574 is the MoJ id and 4336307 is a MoJ team.
returns alot of data but this is the relevant part:
"permissions": {
"admin": false,
"maintain": false,
"push": true,
"triage": true,
"pull": true
},
"role_name": "write"
These are the permissions a team gives it users to a repo
the roles for an organization repository are:
Read: Recommended for non-code contributors who want to view or discuss your project Triage: Recommended for contributors who need to proactively manage issues and pull requests without write access Write: Recommended for contributors who actively push to your project Maintain: Recommended for project managers who need to manage the repository without access to sensitive or destructive actions Admin: Recommended for people who need full access to the project, including sensitive and destructive actions like managing security or deleting a repository
This api can get a user permissions and role per repo they are a member of
curl \ -H "Authorization: bearer PAT" \ -H "Accept: application/vnd.github.v3+json" \ https://api.github.com/repos/ministryofjustice/operations-engineering/collaborators/nickwalt01/permission
Returns
{ "permission": "admin", "user": { "login": "NickWalt01", ... "permissions": { "admin": true, "maintain": true, "push": true, "triage": true, "pull": true }, "role_name": "admin" }, "role_name": "admin" }
The possible repository permissions are admin, write, read, and none.
The organisation Base permissions setting defaults to: No permission Members will only be able to clone and pull public and internal repositories. To give a member additional access, you’ll need to add them to teams or make them collaborators on individual repositories.
Teams can then set there own permissions: https://github.com/orgs/ministryofjustice/teams/check-my-diary/repositories
Repos can manage the teams and outside collaborators permissions: https://github.com/ministryofjustice/hmpps-prisoner-communication-monitoring-api/settings/access
New option to by pass branch protection via a custom role https://github.blog/changelog/2022-08-18-bypass-branch-protections-with-a-new-permission/
Aged-out
GH recently introduced the ability to create roles on repositories and add granular permissions to them. We should investigate what that offers, maybe create some for ourselves and then communciate to the wider community if we think it's worth it and have recommendations.