GitHub accounts are stongly tied to individual emails.

The use of shared/administrative accounts in actively discouraged by GitHub through multi-factor authentication policies.

GitHub organization policies should be created with an assumption that multiple individual users will adminster policies. These users should be removed from the GitHub organization when the users separate from CDL.

• Re-use a pre-existing GitHub account
  • Many CDL developers have chosen this option in order to showcase a portfolio of work before and after joining CDL.
• Create a new GitHub account dedicated for my work at CDL
  • Many CDL staff have chosen this option as well.
• Create a separate GitHub account in order to administer a GitHub organization
  • Our CDL Systems Adminstrators have chosen this option for administering GitHub.
  • This requires the use of a secondary email or an email alias.

• Create a machine user

A GitHub account can be configured with multiple email addresses.

We recommend that you associate your UCOP email address with the GitHub account that you use for your work at CDL.

All CDL Github users are required to enable MFA. These can be configured in your account security settings.
It is recommended to enable (2) two-factor methods. Selecting 2 methods provides a backup method if one method is unavailable. It is not recommended to use SMS as this is an insecure method.

Many Git/GitHub operations can be performed within the GitHub web interface.

• Create issues
• Comment on issues
• Create pull requests
• Merge pull requests
• View Code
• Edit Code - this option is ok for simple edits to a single file

For work that you perform on your desktop or on a CDL server, you will likely need to authorize a git client to use your GitHub credentials.

• pull code from a public repo - no authorization is needed
• pull code from a private repo - authorization is needed
• push code to a repo (public or private) - authorization is needed

• GitHub desktop
• VSCode
• git command line tool

Authorization Options

• GitHub Desktop

  • in this instance, the url to your repo will look like https://github.com...
  • when you attempt to clone a private repository, GitHub desktop will prompt you for authentication on GitHub.com
  • GitHub desktop relies on an active web connection to GitHub.com

• git command line client

  • in this instance, the url to your repo will look like https://github.com...
  • when you attempt to clone a private repository, the git tool will prompt you for a username/password
    • the username does not matter
    • for the password, provide a GitHub personal access token
      • GitHub fine-grained personal access tokens have an expiration date and will require periodic regeneration

• Configure an ssh key

  • in this instance, the url to your repo will look like git@github.com...
  • from your desktop, you must create an ssh key using a command line tool such as ssh-keygen and name it something like ~/.ssh/github_rsa
  • you must load your PUBLIC ssh key to your GitHub account
    • Settings / SSH and GPG Keys
    • Note that SSH keys have no expiration on GitHub
  • you must add the following to your ~/.ssh/config
  • when connecting to a CDL server, it is recommended that you forward your ssh credentials to the server rather than duplicating your ssh key on the server.
    • ssh -A

Host github.com
	HostName github.com
	User git
	IdentityFile ~/.ssh/github_rsa

• GitHub Access Tokens
  • Access rights can be revoked at any time
  • Can be configured with an expiration
  • Access rights can be scoped to particular behaviors
  • Can perform git operations (clone/push/pull)
  • Can perform GitHub API operations
• SSH Keys
  • Access rights can be revoked at any time
  • Cannot be configured with an expiration
  • Can be "forwarded" to a server
  • Can perform git operations (clone/push/pull)
  • Cannot perform GitHub API operations

GitHub offers 3 types of plans

• Personal
• Pro
• Enterprise

Due to cost, CDL does not have an enterprise plan.

Most CDL users have been able to qualify for a free pro account using GitHub for Education benefits.

• Create a confluence page describing how to apply for these benefits

(Joe) I believe this is program dependent and by project right?

(Joe) Wondering if this should be private by default and public when it needs to be public.

Options

• GitHub actions
• AWS CodePipeline
• Jenkins

• Access tokens can be created to authorize a github client (as a login credential)
• Access tokens can be used to authorize a script to perform git operations
• Access tokens can be used to authorize a program to make GitHub api calls

Access token creation is configured under Settings/Developer Settings/Personal Access Tokens.

If the creator of an access token is not a GitHub Organization owner, the token must be approved by a GitHub Organization Owner before it can be used.

An organization owner can revoke fine-graned tokens that have been granted organization access rights.

• Classic token (ghp...)
  • can be configured with/without an expiration
  • permission scopes are too broad and generally grant more rights than is desireable.
• Fine-grained Access Token (github_pat_...)
  • users are discourged from creating one without an expiration
  • access rights can be scoped
    • to particular github apis
    • to particular repositories
    • to a particular organization

• SSH keys
• GitHub Apps

We should be very selecitve about the apps that are approved at an Org level.

This is the primary mechanism that we use to enable AWS Code Build/Pipeline tools to access GitHub events.

Options

• GraphQL
• API