Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

Version 1 Next »

Background

In recent years, Github created a new “visibility” level for repositories in an organization: internal [1]. This is in addition to private and public. However, this applies to anyone in the enterprise (the level above an organization) and not just to organization members.

This means that any full member of the Tufts University enterprise (staff, students, faculty, etc) has read access to any repository set to internal. Including if they’re not a member of the organization where the repository is located.

Please see the sections below for more details how/when this applies, to whom, and alternatives.

More Details

The Github documentation [2] will point out this distinction with internal:

Enterprise members:
* Can access all repositories with "internal" visibility across any organization in the enterprise.

In addition, whenever a repository is created, there’s a description that will include mention of this detail when you are prompted to select the visibility level of the new repository:

image-20250219-163541.png

Does This Apply to “outside collaborators” As Well?

As far as we can tell, the answer is “no,” outside collaborators should not be able to access any internal repositories by default because they do not get permissions to the organization itself, only individual repositories. From the Github documentation for collaborators [3], this is for a few reasons, such as:

Outside collaborators cannot be added to a team, team membership is restricted to members of the organization.

and they must be added to each individual repository in order to have permissions there:

You can give outside collaborators access to a repository in your repository settings

This is further reinforced in the documentation regarding internal repositories [4]:

All enterprise members have read permissions to the internal repository, but internal repositories are not visible to people outside of the enterprise, including outside collaborators on organization repositories.

Alternatives

Repository visibility:

  • public: no issue here because anyone and everyone will have access anyways

  • private: only the repository admins and enterprise admins will have access to the repository (see additional note about using Github teams for permissions)

Outside Collaborator:

  • If someone is not a member of the Tufts Enterprise (such as external research collaborator), you can add them as an external collaborator to the specific repositories they need to access

Using Github Teams To Provide Additional Access:

Use an Organization Outside of the Enterprise

  • While this is technically possible, there are serious downsides, such as:

    • Losing access to all billing and other benefits of being part of the enterprise

    • The drawbacks of a separate organization as outlined in: Notes On Github Organizations

References

1: https://github.blog/news-insights/product-news/internal-repositories-are-now-generally-available-for-github-enterprise/

2: https://docs.github.com/en/enterprise-cloud@latest/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/roles-in-an-enterprise#enterprise-members

3: https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-outside-collaborators/adding-outside-collaborators-to-repositories-in-your-organization

4: https://docs.github.com/en/enterprise-cloud@latest/repositories/creating-and-managing-repositories/about-repositories#about-internal-repositories

  • No labels