Github collaborations - security around main repo

Question

I've recently given collaborator access to a private github repo to a few new team members. While I do trust them, I'd like to better understand their read/write access. Couldn't they technically commit directly to dev or master, accept their own merge requests, or even like remove the entire project? How do I configure security settings so they can only push changes to dev/master, and I'm the only one who can merge them in?

According to https://help.github.com/articles/permission-levels-for-a-user-account-repository/, it seems that a collaborator is free to do what they want.

https://github.com/blog/2051-protected-branches-and-required-status-checks, maybe? — Biffen, Sep 20 '15 at 15:50

score 0 · Answer 1 · edited May 23 '17 at 10:27

0

The simplest approach would be to give access to a fork of the private repo (the fork remains private)

That way:

they can make pull request to your main repo, with you deciding to merge them or not.
they can use any branch they want on the fork.

The other approach would be to use the GitHub new protected branch feature: that can limit what a collaborator can do when merging to master.

edited May 23 '17 at 10:27

Community

1
1

answered Sep 20 '15 at 15:50

VonC

1,129,465
480
4,036
4,755

Github collaborations - security around main repo

1 Answers1