GitHub

Administration
Workshop

Enterprise Security Productivity Collaboration AI

Objectives

Detail differences between GitHub Enterprise products

Decide which permissions should be applied

Familiarity with enterprise level policies

Explain how security access features work (SSO, SCIM, IP allow lists, etc.)

Understand authentication methods for integration points

Objectives

Understand how licensing works in GitHub Enterprise

Determine proper organization structure and settings

Manage teams and assign permissions to protected resources

Organize repositories in an organization and manage settings

Ability to audit your enterprise account

Introduction to GitHub Actions and related topics

Agenda: Part 1

GitHub Enterprise overview

Platforms

Permission flow

Enterprise administration

Settings walkthrough

GitHub organizations

Overview

Administration and policies

Settings walkthrough
Agenda: Part 2

GitHub repositories

Overview

Repository administration

Branch protection and CODEOWNERS file

Settings walkthrough

Additional topics

API overview and authentication methods

GitHub Actions

GitHub Marketplace
GitHub Enterprise
Overview
Platforms

Permissions flow

Enterprise administration
Platforms

Connect

GitHub Enterprise GitHub Enterprise

Cloud Server
SaaS
Self-hosted
OSS
Private
Private with EMU
HA capable
Data Residency *
 Software as a Service (SaaS) offering

Security and policy features

Fast onboarding of new collaborators

Reduced operations overhead

Public repositories are visible

GitHub Enterprise
Cloud
Private repositories are not accessible

Privacy is configured by enterprise, organization,

team or individual level
 GHEC with centralized user and team
management (customer IdP)

Enterprise Managed Users (EMUs) cannot move

code from a private repository

EMU activities are recorded in the GitHub audit

log

GitHub Enterprise
Cloud + EMUs
 Self-hosted on customer’s network

Multiple hypervisor options

Subdomain isolation to mitigate XSS attacks

Outbound web proxy for increased security

Isolated user accounts

GitHub Enterprise
Server
Near feature parity with GitHub Enterprise Cloud

GitHub Connect for license sync and other features

Billing and Plans
GitHub Plans Enterprise Add-ons Pay per use

GitHub Free GitHub Advanced GitHub Actions Cloud

(GitHub.com) Security Runners

GitHub Teams GitHub Copilot Business GitHub Packages

(GitHub.com)
GitHub Copilot Codespaces
GitHub Enterprise (Cloud Enterprise
Marketplace pay-per-use
or Server)
apps

Git LFS

Project sponsorship
GitHub Enterprise
Overview
Platforms

Permissions flow

Enterprise administration
Permissions Flow
Permissions Flow - multiple
orgs
Repository Visibility

Public - Anyone on the internet can access (GHEC only)

Internal - Organization members in the enterprise can access (innersource)

Private - Only accessible by users with explicit permission

Repository base permissions

No Permission Read Write/

Admin
Interna
Private Private Internal Private Internal
l

Public Public Public

Permission roles
Permission Description

Read Read-only access to Code and Actions. Can submit and comment on
issues, pull requests, and discussions

Triage Read-only permissions with the additional ability to manage issues, pull
requests, discussions, assignments, and labels

Write Gives write access to all parts of a repository project with the exception
of the repository settings

Maintain Ability to modify some settings of a repository including topics, enabling

repository features, configuring merges and GitHub Pages, pushing to
protected branches

Admin Has full administrative access to all features, settings and configurations
of the repository project
GitHub Enterprise
Overview
Platforms

Permissions flow

Enterprise administration
Enterprise Settings
Walkthrough

Share Screen
GitHub Organizations
Overview
Structure and
ownership
Administration and
settings
Everything exists within GitHub (Enterprise)
Users belong to individuals with their own
namespace
Organizations have their own namespaces
Organizations can own repositories
Users can own repositories
Users can be members of organizations
Users can be members of organizations
And the org content can be protected by SSO
Teams exist within organizations
to apply permissions and group repositories
together
and facilitate communication

@blue/java @purple/java

@blue/2FA @purple/js
How can these users participate in Java
discussions?

@blue/java @purple/java

@blue/2FA @purple/js
Enterprise Best
Practices
Organizations Teams

Minimize organizations Focus on top-level

(ideally one) corporate divisions

Have multiple owners Who would benefit from

learning from others?
Enable SSO and 2FA
GitHub Organizations
Overview
Structure and
ownership
Administration and
settings
 https://github.com/alltheavo

Repositories

Packages

People
Teams

Organization
information
Reasons to use teams

Onboarding
Collaboration Innersource and Security
offboarding
Managing Nested Teams

Parent teams can have multiple child teams

Child teams inherit parent’s permissions

Child teams receive parent’s notifications

Users in a child team belong to the parent team

 Permissions
XXX
&
X Notifications
Team best practices
Configuring Teams with Team Sync

Integrate IdP to synchronize groups to GitHub teams

Manage rights and permissions in one place

Can’t connect to parent team if using nested teams

Configuring Teams with GitHub

Manage membership within GitHub

Keep teams open to reduce friction

https://github.com/alltheavo

Projects

Insights
Insights - Activity Overview

High level insights for pull requests, issues, and contributions

Understand contribution trends

Use the API and dashboards (Grafana, ELK) to visualize more metrics
https://github.com/alltheavo

Security
Organization Settings
Walkthrough

Share Screen
GitHub Repositories
Overview
Navigation

Administration
Branch protections and
CODEOWNERS
 https://github.com/githubuniverseworkshops/w
orkshop-automate-your-workflow

Nav bar

Metadata,
releases,
Files
packages,
contributors

README
Repository
settings
Repository Settings
Walkthrough

Share Screen
Additional Topics

API overview
Authentication
methods

GitHub Actions overview

GitHub Marketplace overview

Core Integration Loop

GitHub
Integration
Webhooks s

Repository

Organization

Enterprise
GitHub Apps

Repository

Organization
Core Loop Overview GitHub API

Scripts REST API (v3)

*.sh, *.js, *.rb, *.py Requests

GUI Clients HEAD /api

Insomnia, Postman
GitHub GET /api

POST /api
Webhooks
PUT /api
Repository
DELETE /api
Third-party systems
Organization Jenkins, TeamCity, JIRA

Requests
Enterprise Events Web server
Node.js, Ruby, Python, Java GraphQL API (v4)
GitHub Apps
POST /endpoint
Serverless functions
Repository Azure, AWS, GCP
POST /graphql
{ “query”: “query {}” }
Organization
POST /graphql
{ “query”: “mutation {}” }
GitHub Actions Events Requests
Workflows
.github/workflows/*.yml
Repository
Additional Topics

API overview
Authentication
methods

GitHub Actions overview

GitHub Marketplace overview

API Authentication GitHub API

Scripts Personal OAuth GitHub REST API (v3)

*.sh, *.js, *.rb, *.py Access Apps Apps
Token
GUI Clients (PAT) HEAD /api
Insomnia, Postman
https://github.com/ GET /api
Profile /app/installations
↓ login/oauth/
authorize? POST /api
Settings /app/installations/
↓ client_id=... {installation_id}/
&scope=user PUT /api
Developer access_tokens
Settings %20repo_deploymen
DELETE /api
Third-party systems ↓ t
Jenkins, TeamCity, JIRA Personal
access
tokens
Web server
Node.js, Ruby, Python, Java GraphQL API (v4)

Serverless functions
Azure, AWS, GCP
POST /graphql
{ “query”: “query {}” }
gho_

POST /graphql
{ “query”: “mutation {}” }
ghu_
GITHUB_TOKEN
Workflows
.github/workflows/*.yml ghp_ ghs_ ghs_
 Authentication User or organization can register up to 100
Methods GitHub Apps

GitHub Apps GitHub Apps can take actions independent

of a user

OAuth Apps
GitHub Apps can be installed in a personal
account or an organization

Personal Access Tokens

Can act as an OAuth app on behalf of a user

Deploy Keys
Up to 15k requests/hour (enterprise)

Machine Users
Permission changes require approval by the
organization where they are installed
 Authentication
Methods
User or organization can own up to 100
OAuth Apps
GitHub Apps

An OAuth App acts as the authenticated

OAuth Apps user across all of GitHub

An OAuth App can be used as an identity

Personal Access Tokens provider by enabling “Login with GitHub”

OAuth Apps can act on all of the

Deploy Keys authenticated user’s resources

Machine Users Up to 5k requests/hour

 Authentication
Methods PATs represent yourself only

GitHub Apps Avoid using “no expiration” when creating a

PAT

OAuth Apps
Useful for scripting or cURL requests

Personal Access Tokens

Do not use with a shared script or workflow

Deploy Keys
Up to 5k requests/hour

Machine Users
Removed automatically after one year of no
usage
 Authentication
Methods
Anyone with access to the repository and
server can deploy the project
GitHub Apps

Users don’t have to change their local SSH

OAuth Apps settings

Deploy keys are read-only by default

Personal Access Tokens

Deploy keys only grant access to a single

Deploy Keys repository

Deploy keys are not usually protected by a

Machine Users
passphrase
 Authentication
Methods
Anyone with access to the repository and
server can deploy the project
GitHub Apps

No (human) users need to change their

OAuth Apps local SSH settings

Multiple keys are not needed

Personal Access Tokens

Only organizations can restrict machine

Deploy Keys users to read-only access

Machine user keys, like deploy keys, are not

Machine Users
usually protected with a passphrase
Which access method?
Only as
Yes me? No

Access Act as
everything the app?
?
No
Yes
No
Yes
GitHub
App Access
Simple? everything
No ?

No
Yes

Personal Yes
OAuth
Access
App
Token
Additional Topics

API overview
Authentication
methods

GitHub Actions overview

GitHub Marketplace overview

 GitHub Actions is a workflow automation
tool
What is GitHub
Actions?
Workflows stored as YAML files (.yml)

Triggered by GitHub webhook events

Live logging and workflow visualization

GitHub-hosted or self-hosted runners

Built-in secret store for increased security

GitHub-hosted
runners
Ephemeral

Metered billing (50k free minutes/month)

Static IP support (with larger runners)

Azure vnet injection support *

Self-hosted runners
Ephemeral or long-running

No per-minute charges

Customer assumes administration

responsibilities

Useful for operating systems not supported

by GitHub-hosted runners
GitHub Actions auto-
scaling solutions Elastic Machines (assisted by Expert
Services)

Actions Runner Controller (Kubernetes

based)

Automatic scale-up/scale-down as workflow

demand dictates

Offered by GitHub as-is

GitHub Actions
policies Configure which actions are allowed
(enterprise/org/repo)

Control repo-level runner creation

Artifact retention period

Default GITHUB_TOKEN permissions

Sharing workflows in
an organization Create workflow templates in .github
repository

Use GitHub Packages and ghcr.io to share

Docker-based actions

Fetch internally-developed actions from

private repositories with app token

Require organization workflows with

rulesets
GitHub Actions best
practices Use GITHUB_TOKEN if possible, GitHub App
token when necessary

Limit token permissions to least privilege

Use trusted actions only and limit secret

access. Pin untrusted action versions

Use environment secrets with different

values per environment
GitHub Actions best
practices
Create starter workflows for reusability

Create meaningful README files for your

custom actions

Implement small and focused actions and

make use of the Marketplace

Use GitHub Actions for CI/CD but also for

*Ops
Additional Topics

API overview
Authentication
methods

GitHub Actions overview

GitHub Marketplace overview

https://github.com/marketplace
Q&A
Thank You!