GitHub/GHE Project: Difference between revisions
Cknowles-moz (talk | contribs) (Change the direct mailto to a text mail address, because spammers are terrible.) |
Cknowles-moz (talk | contribs) (More typo corrections) |
||
| Line 31: | Line 31: | ||
GHE/SAML | GHE/SAML | ||
One of the goals of this is to make | One of the goals of this is to make on-boarding/off-boarding more consistent. In that vein, we're migrating organizations to GitHub Enterprise (GHE) and working to enable SAML linkages to help us identify and communicate with them | ||
More information on the specific GHE/SAML process, and questions around it can be found [[GitHub/GHE_SAML_Overview|here]]. | More information on the specific GHE/SAML process, and questions around it can be found [[GitHub/GHE_SAML_Overview|here]]. | ||
Revision as of 18:11, 24 March 2022
IT GitHub Project Overview
Purpose
IT will be managing and supporting GitHub (GH) Organizations (Orgs) in order to better provide consistent support, security posture, and grow the capabilities. (e.g. SAML)
This is primarily accomplished via an IT team (ghe-admins@mozilla.com) having ownership rites in the org.
IT Involvement in KTLO (Keeping The Lights On)
IT admins will be involved in the following, plus other things, as needed:
- Membership maintenance (on-boarding and off-boarding.)
- Private repository creation/recording
- Private repositories are a cost concern, a privacy/security concern, and due to their being hidden, often go orphaned, so we record them so SOMEONE knows about them.
- Interfacing with GitHub support if needed
- Working with Incident Response and CPG around issues that concern them
Managing Org Ownership permissions
One of the known security changes we're working to implement is to limit the number of people with org owner permissions wherever possible. As part of induction, we'll be reaching out to the people with owner permissions and asking if they need this (at all, and in light of the duties that IT is now taking on)
- There are auth0, and duo and GHE costs related to keeping them, and various bits of upkeep - so we would like to remove them where feasible.
- Any remaining org owners will be required to have a "root" account, separate from their "daily driver" or "mortal" account.
Ways to Reach IT
- Bugzilla - Please don't mark it as fully confidential without cc'ing in someone from the ghe-admins@ group. https://bugzilla.mozilla.org/enter_bug.cgi?product=mozilla.org&component=Github%3A+Administration
- Matrix - https://matrix.to/#/#github-admin:mozilla.org
- Email - mail to github-admins @ mozilla.com
Unifying Secops Posture
Secops has been involved in the day to day maintenance in several orgs, but with IT admins taking that over they are able to focus on policy and procedure and trying to make sure that while there may be several policies to follow, they're documented and standardized (or as similar as is reasonable) and documented in some form.
GHE/SAML
One of the goals of this is to make on-boarding/off-boarding more consistent. In that vein, we're migrating organizations to GitHub Enterprise (GHE) and working to enable SAML linkages to help us identify and communicate with them
More information on the specific GHE/SAML process, and questions around it can be found here.