Investigate granular role permissions on GH

[Nimphal]

GH recently introduced the ability to create roles on repositories and add granular permissions to them. We should investigate what that offers, maybe create some for ourselves and then communciate to the wider community if we think it's worth it and have recommendations.

[NickWalt01]

Github organisation repo roles info: https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization and Enterprise: https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-peoples-access-to-your-organization-with-roles/managing-custom-repository-roles-for-an-organization and https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-teams-and-people-with-access-to-your-repository

[NickWalt01]

API to check team permissions: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-teams-and-people-with-access-to-your-repository

API to update team permissions: https://docs.github.com/en/rest/reference/teams#add-or-update-team-repository-permissions

Custom Repo roles: https://docs.github.com/en/rest/reference/orgs#list-custom-repository-roles-in-an-organization

[NickWalt01]

1. What are the custom roles that we have?
2. Who is using them?
3. Of the who that are using them, how many have an inherited team role that supersedes a custom role?
4. Do we have any users with no roles? Is that even possible?

[NickWalt01]

Can do a http put to the REST GH API and set the custom role for a user "A custom repository role, if the owning organisation has defined any."

[NickWalt01]

get the custom rules within the organisation

curl \ -H "Authorization: bearer PAT" \ -H "Accept: application/vnd.github.v3+json" \ https://api.github.com/organizations/2203574/custom_roles

response: { "total_count": 0, "custom_roles": [

] }

[NickWalt01]

This returns data for each repo a team has access to:

curl \ -H "Authorization: bearer PAT" \ -H "Accept: application/vnd.github.v3+json" \ https://api.github.com/organizations/2203574/team/4336307/repos

Where 2203574 is the MoJ id and 4336307 is a MoJ team.

returns alot of data but this is the relevant part:

"permissions": {
  "admin": false,
  "maintain": false,
  "push": true,
  "triage": true,
  "pull": true
},
"role_name": "write"

These are the permissions a team gives it users to a repo

[NickWalt01]

the roles for an organization repository are:

Read: Recommended for non-code contributors who want to view or discuss your project Triage: Recommended for contributors who need to proactively manage issues and pull requests without write access Write: Recommended for contributors who actively push to your project Maintain: Recommended for project managers who need to manage the repository without access to sensitive or destructive actions Admin: Recommended for people who need full access to the project, including sensitive and destructive actions like managing security or deleting a repository

[NickWalt01]

This api can get a user permissions and role per repo they are a member of

curl \ -H "Authorization: bearer PAT" \ -H "Accept: application/vnd.github.v3+json" \ https://api.github.com/repos/ministryofjustice/operations-engineering/collaborators/nickwalt01/permission

Returns

{ "permission": "admin", "user": { "login": "NickWalt01", ... "permissions": { "admin": true, "maintain": true, "push": true, "triage": true, "pull": true }, "role_name": "admin" }, "role_name": "admin" }

[NickWalt01]

The possible repository permissions are admin, write, read, and none.

[NickWalt01]

The organisation Base permissions setting defaults to: No permission Members will only be able to clone and pull public and internal repositories. To give a member additional access, you’ll need to add them to teams or make them collaborators on individual repositories.

[NickWalt01]

Teams can then set there own permissions: https://github.com/orgs/ministryofjustice/teams/check-my-diary/repositories

[NickWalt01]

Repos can manage the teams and outside collaborators permissions: https://github.com/ministryofjustice/hmpps-prisoner-communication-monitoring-api/settings/access

[NickWalt01]

New option to by pass branch protection via a custom role https://github.blog/changelog/2022-08-18-bypass-branch-protections-with-a-new-permission/

[AntonyBishop]

Aged-out