GitHub Organization Manager
The GitHub Organization Manager makes it easy to enforce standards across your organization.
GitHub itself has a lot of great tools - Branch Protection, Dependency Vulnerability Scanning, Projects and Labels, Issue Tracking, and so much more. The problem is that it's a serious pain for organizations that have a lot of repositories to make sure that all of their repos are being managed in the same way. Something as simple as ensuring all Pull Requests get reviewed before merging has to be managed on a project by project basis. This can be particularly painful for organizations that have compliance requirements.
The GitHub Organization Manager gets around that by letting you define your standards in one place and enforce them throughout your organization. It allows you to define a default standard that will apply to every repository, or a variety of standards that you can apply to different repositories based on their needs. When a new repository is created these standards will automatically apply, saving admins from dealing with manual setup each time.
Installing
This app can be installed directly on Github. Since this is an open source project self hosting is also an option, although it's a bit trickier.
Once installed you'll need to create a file named organizer.yaml
in the .github
repository in your organization. This file will contain all of the settings you want to have applied to your organization.
Repository Settings
Organizing Repository Settings
The simplest way to get started is to set default rules for all repositories.
repositories:
default:
features:
has_issues: true
has_wiki: false
has_projects: true
has_downloads: true
You can also set repository specific rules. Here we disable the wiki in all repositories except for example_repo
.
repositories:
default:
features:
has_issues: true
has_wiki: false
has_projects: false
has_downloads: false
example_repo:
features:
has_issues: true
has_wiki: true
has_projects: false
has_downloads: false
Of course, putting individual rules for every repository can be rather burdensome. Another option is to define option groups - you can even extend existing option groups (like default
) and make only the changes you need.
In this example we keep the default repository settings but add a new set, production
, which requires code reviews before pull requests get merged into the main branch.
repositories:
default:
features:
has_issues: true
has_wiki: false
has_projects: false
has_downloads: false
production:
extends: default
branches:
main:
enforce_admins: true
required_status_checks:
require_review: true
Assigning Repositories to Settings Groups
This project offers two ways to assign repositories to the non-default group, Repository Topics and Inline Definitions.
Repository Topics let the admins of the repository assign a topic to that repo and pick up the settings based off of that. This means no changes are required to the organization's settings file. The prefix gho-
is added to the topic (turning the production
category into the topic gho-production
) to tell the GitHub Organization Manager which settings to apply to the repository.
Another option is to define the options in the configuration file itself. The benefit of this is that settings are applied via Pull Request, which allows another level of enforcement and auditing. In this example we add ExampleWebsite
and .github
to the production
category. To force people to use the config file it is also possible to disable topic assignment with the top level topics_for_assignment
option (which is enabled by default).
# Optional- topic assignment and inline assignment can work together.
topics_for_assignment: false
repositories:
default:
features:
has_issues: true
has_wiki: false
has_projects: false
has_downloads: false
production:
extends: default
branches:
main:
enforce_admins: true
required_status_checks:
require_review: true
ExampleWebsite: production
.github: production
Configuring Repository Features
Each repository has a variety of GitHub features, such as projects and wikis, that this project can ensure are enabled or disabled.
repositories:
default:
features:
has_issues: true
has_wiki: false
has_projects: true
has_downloads: true
Set Allowed Merge Types
Organizations can enforce specific merge types, preventing people from using the wrong type accidentally.
repositories:
default:
merges:
allow_squash_merge: true
allow_merge_commit: true
allow_rebase_merge: true
Automatically Label Issues
Issues can have labels applied automatically based on their repository. In this case every repository will automatically get labeled as dev
, with two additional repositories (example_repo
and another_repo
) get tagged with dev
and production
, as they inherit the production rules.
repositories:
default:
issues:
auto_label:
- dev
production:
issues:
auto_label:
- dev
- production
example_repo: production
another_repo: production
It's also possible to set this using repository settings.
Assign Issues to Projects
Issues can get assigned to projects automatically, prevent issues from getting lost in the shuffle if someone forgets to assign one on creation. These projects can be either local repository projects or organization level projects.
repositories:
default:
issues:
project_autoassign:
organization: true
name: TestProject
column: To do
Assign Teams and Permissions
Another important use case is adding teams to repositories. This makes it easy to add default teams to all repositories as well as special teams to specific repositories or repository groups.
repositories:
default:
teams:
devs: Push # Pull, Push, Admin
admins: Admin # Pull, Push, Admin
support: Pull # Pull, Push, Admin
production:
teams:
devs: Pull
infra: Push
Set Branch Protection
Branch protection is an important piece of quality control, and can even be part of an organization's compliance program. Branch protection can be set globally, with additional requirements:
repositories:
default:
branches:
main:
enforce_admins: false
required_status_checks:
require_review: true
production:
branches:
main:
enforce_admins: true
required_status_checks:
require_review: true
prod:
enforce_admins: true
required_status_checks:
require_review: true
strict: true
Branch protection has a lot of potential configuration options, including:
- dismiss_stale_reviews: will dismiss reviews if they become stale (such as having a new commits).
- require_code_owner_reviews: will require the code owner (if one is set) to perform a review.
- enforce_admins: will remove the ability for admins to override the protections to force a merge.
- required_approving_review_count: sets a specific number of people required to approve reviews.
In addition the required_status_checks
has a few options of its own -
- strict: requires a pull request to be up to date with the branch before it can be merged.
- context: when empty all tests must pass, otherwise it takes an array individual tests (such
ci/circleci
orcoverage/coveralls
) which must pass. - require_review: when set to true at least one review must occur before a pull request can be merged into the branch.
repositories:
default:
branches:
main:
dismiss_stale_reviews: false
require_code_owner_reviews: false
enforce_admins: false
required_approving_review_count: 5
required_status_checks:
strict: false
Enforce Dependency Security
A fantastic new feature of GitHub is that it can scan your repositories for upstream vulnerabilities, and even make pull requests to resolve them. This feature is opt in, making it easy to forget. This project allows you to set it on the organization level, so you never have to worry about accidentally leaving a repository vulnerable.
repositories:
default:
dependency_security:
alerts: true
automatic_fixes: true
Teams
This function will create teams and keep their members up to date with the list in the configuration file, adding and removing members as needed.
teams:
admins:
members:
- tedivm
devs:
members:
- tedivm
- AliLynne
Labels
Manage Organization Labels
Keeping labels in sync can be a huge chore when an organization has a large number of repositories. This project keeps labels in sync, optionally cleaning up labels which aren't in the organization file.
labels_clean: true
labels:
# Built in labels.
- name: bug
description: "Something isn't working"
color: d73a4a
- name: documentation
description: "Improvements or additions to documentation"
color: 0075ca
- name: duplicate
description: "This issue or pull request already exists"
color: cfd3d7
- name: good first issue
description: "Good for newcomers"
color: 7057ff
- name: enhancement
description: "New feature or request"
color: a2eeef
- name: help wanted
description: "Extra attention is needed"
color: 008672
- name: invalid
description: "This doesn't seem right"
color: e4e669
- name: question
description: "Further information is requested"
color: d876e3
- name: wontfix
description: "This will not be worked on"
color: ffffff
# Teams/Groups
- name: infra
color: db5cb3
- name: dev
color: aaffe0
Automatically Label Repository Issues
A common request is to give all issues in a specific repository labels, without having to define a per-repository set of configurations. This can be done with the repos
setting for the label.
labels:
- name: infra
description: "Infrastructure Team"
color: d73a4a
repos:
- infra-terraform
- infra-puppet
It is also possible to set this using repository settings. Both of these settings will work together.
Enforce and Migrate Default Branches
With the GitHub Organization Manager it is possible to enforce default branches across an organization. It is important to note that this is one of the most intrusive features of this project and should be used with care, as the project will actually branch the existing default branch to create the new one if needed (it will not delete the old branch). This can cause a serious disruption for developers if they are not told about this in advance. However, for organizations that are making a conscious effort to change their default branch names, this can remove a lot of manual work.
In this example we set the default branch to main
repositories:
# All Repositories not assigned to other groups.
default:
issues:
auto_label:
- dev
dependency_security:
alerts: true
automatic_fixes: true
branches:
main:
default: true
enforce_admins: true
required_status_checks:
strict: true
require_review: true
Examples
Simple Example
This example applies the same rules to every repository.
repositories:
# All Repositories not assigned to other groups.
default:
issues:
auto_label:
- dev
dependency_security:
alerts: true
automatic_fixes: true
merges:
allow_squash_merge: false
allow_merge_commit: false
allow_rebase_merge: true
features:
has_issues: true
has_wiki: false
has_projects: false
has_downloads: false
branches:
main:
enforce_admins: true
required_status_checks:
strict: true
require_review: true
labels_clean: true
labels:
# Built in labels.
- name: bug
description: "Something isn't working"
color: d73a4a
- name: documentation
description: "Improvements or additions to documentation"
color: 0075ca
- name: duplicate
description: "This issue or pull request already exists"
color: cfd3d7
- name: good first issue
description: "Good for newcomers"
color: 7057ff
- name: enhancement
description: "New feature or request"
color: a2eeef
- name: help wanted
description: "Extra attention is needed"
color: 008672
- name: invalid
description: "This doesn't seem right"
color: e4e669
- name: question
description: "Further information is requested"
color: d876e3
- name: wontfix
description: "This will not be worked on"
color: ffffff
Full Example
This example has one set of default repository rules, as well as special rules for production repositories and some another rule for websites. The production rules are based off of the default rules, and then the website rules extend those.
teams:
Admins:
members:
- tedivm
Developers:
members:
- tedivm
- AliLynne
Website:
members:
- tedivm
- AliLynne
repositories:
# All Repositories not assigned to other groups.
default:
teams_clean: true
teams:
Admins: admin
Developers: push
issues:
auto_label:
- dev
project_autoassign:
organization: true
name: Primary Planning
column: New Issues and Tasks
dependency_security:
alerts: true
automatic_fixes: true
merges:
allow_squash_merge: false
allow_merge_commit: false
allow_rebase_merge: true
features:
has_issues: true
has_wiki: false
has_projects: false
has_downloads: false
# Any repository specifically assigned to "production".
production:
extends: default
teams_clean: true
teams:
Admins: admin
Developers: pull
issues:
auto_label:
- dev
- prod
project_autoassign:
organization: true
name: Primary Planning
column: New Issues and Tasks
branches:
main:
enforce_admins: true
required_status_checks:
strict: true
require_review: true
# Give the website team access to these repos.
website:
extends: default
teams:
Admins: admin
Website: pull
# Individual repository assignments-
# this can be used instead of using Repository Topics.
.github: production
GithubOrganizer: production
GitConsensusService: production
GitConsensusCLI: production
organizer.gitconsensus.com: website
www.gitconsensus.com: website
labels_clean: true
labels:
# Built in labels.
- name: bug
description: "Something isn't working"
color: d73a4a
- name: documentation
description: "Improvements or additions to documentation"
color: 0075ca
repos:
- organizer.gitconsensus.com
- www.gitconsensus.com
- name: duplicate
description: "This issue or pull request already exists"
color: cfd3d7
- name: good first issue
description: "Good for newcomers"
color: 7057ff
- name: enhancement
description: "New feature or request"
color: a2eeef
- name: help wanted
description: "Extra attention is needed"
color: 008672
- name: invalid
description: "This doesn't seem right"
color: e4e669
- name: question
description: "Further information is requested"
color: d876e3
- name: wontfix
description: "This will not be worked on"
color: ffffff
# Useful labels
- name: security
color: db5cb3
- name: refactor
color: db5cb3
repos:
- test_rep
- name: stability
color: db5cb3
- name: needs discussion
color: "e08155"