Skip to main content
我们经常发布文档更新,此页面的翻译可能仍在进行中。有关最新信息,请访问英语文档
� 

� 

此版本的 GitHub Enterprise 已停止服务 2022-10-12. 即使针对重大安全问题,也不会发布补丁。 为了获得更好的性能、更高的安全性和新功能,请升级到最新版本的 GitHub Enterprise。 如需升级帮助,请联系 GitHub Enterprise 支持

Enforcing repository management policies in your enterprise

本文内容

You can enforce policies for repository management within your enterprise's organizations, or allow policies to be set in each organization.

Who can use this feature

Enterprise owners can enforce policies for repository management in an enterprise.

About policies for repository management in your enterprise

You can enforce policies to control how members of your enterprise on GitHub Enterprise Server manage repositories. You can also allow organization owners to manage policies for repository management. For more information, see "Creating and managing repositories and "Organizations and teams."

Configuring the default visibility of new repositories

Each time someone creates a new repository within your enterprise, that person must choose a visibility for the repository. When you configure a default visibility setting for the enterprise, you choose which visibility is selected by default. For more information on repository visibility, see "About repositories."

If an enterprise owner disallows members from creating certain types of repositories, members will not be able to create that type of repository even if the visibility setting defaults to that type. For more information, see "Setting a policy for repository creation."

  1. 在 GitHub Enterprise Server 的右上角,单击� 的个人资料照片,然后单击“企业设置”。 GitHub Enterprise Server 上个人资料照片下拉菜单中的“企业设置”

  2. 在企业边� �中,单击 “策略”。 企业帐户边� �中的“策略”选项卡

  3. “策略” 下,单击“选项” 。 企业帐户设置侧边� �中的“选项”选项卡

  4. Under "Default repository visibility", use the drop-down menu and select a default visibility. Drop-down menu to choose the default repository visibility for your enterprise

Warning: If you add an image attachment to a pull request or issue comment, anyone can view the anonymized image URL without authentication, even if the pull request is in a private repository, or if private mode is enabled. To prevent unauthorized access to the images, ensure that you restrict network access to the systems that serve the images, including your GitHub Enterprise Server instance.

Enforcing a policy for base repository permissions

Across all organizations owned by your enterprise, you can set a base repository permission level (none, read, write, or admin) for organization members, or allow owners to administer the setting on the organization level.

  1. 在 GitHub Enterprise Server 的右上角,单击� 的个人资料照片,然后单击“企业设置”。 GitHub Enterprise Server 上个人资料照片下拉菜单中的“企业设置”
  2. 在企业边� �中,单击 “策略”。 企业帐户边� �中的“策略”选项卡
  3. 在“ 策略”下,单击“存储库”。 企业帐户设置侧边� �中的“存储库”选项卡
  4. Under "Base permissions", review the information about changing the setting. (可选)若要在更改设置之前查看企业帐户中所有组织的当前配置,请单击 查看组织的当前配置查看企业中组织的当前策略配置的链接
  5. Under "Base permissions", use the drop-down menu and choose a policy. Drop-down menu with repository permissions policy options

Enforcing a policy for repository creation

Across all organizations owned by your enterprise, you can allow members to create repositories, restrict repository creation to organization owners, or allow owners to administer the setting on the organization level.

If you allow members to create repositories in your organizations, you can choose which types of repositories (public, private, and internal) that members can create.

For more information about internal repositories, see "Creating an internal repository."

组织所有者始终可以创建任何类型的仓库,而外部协作者永远不能创建任何类型的仓库。 有关详细信息,请参阅“关于存储库”。

  1. 在 GitHub Enterprise Server 的右上角,单击� 的个人资料照片,然后单击“企业设置”。 GitHub Enterprise Server 上个人资料照片下拉菜单中的“企业设置”

  2. 在企业边� �中,单击 “策略”。 企业帐户边� �中的“策略”选项卡

  3. 在“ 策略”下,单击“存储库”。 企业帐户设置侧边� �中的“存储库”选项卡

  4. Under "Repository creation", review the information about changing the setting. (可选)若要在更改设置之前查看企业帐户中所有组织的当前配置,请单击 查看组织的当前配置查看企业中组织的当前策略配置的链接

  5. Under "Repository creation", select a policy.

    Drop-down menu with repository creation policy options

  6. 如果� 选择“成员可创建存储库”,请选择一个或多个存储库类型。 存储库类型复选框

Enforcing a policy for forking private or internal repositories

Across all organizations owned by your enterprise, you can allow people with access to a private or internal repository to fork the repository, never allow forking of private or internal repositories, or allow owners to administer the setting on the organization level.

  1. 在 GitHub Enterprise Server 的右上角,单击� 的个人资料照片,然后单击“企业设置”。 GitHub Enterprise Server 上个人资料照片下拉菜单中的“企业设置”

  2. 在企业边� �中,单击 “策略”。 企业帐户边� �中的“策略”选项卡

  3. 在“ 策略”下,单击“存储库”。 企业帐户设置侧边� �中的“存储库”选项卡

  4. Under "Repository forking", review the information about changing the setting. (可选)若要在更改设置之前查看企业帐户中所有组织的当前配置,请单击 查看组织的当前配置查看企业中组织的当前策略配置的链接

  5. Under "Repository forking", use the dropdown menu and choose a policy.

    Drop-down menu with repository forking policy options

Enforcing a policy for inviting collaborators to repositories

Across all organizations owned by your enterprise, you can allow members to invite collaborators to repositories, restrict invitations to organization owners, or allow organization owners to administer the setting on the organization level.

  1. 在 GitHub Enterprise Server 的右上角,单击� 的个人资料照片,然后单击“企业设置”。 GitHub Enterprise Server 上个人资料照片下拉菜单中的“企业设置”

  2. 在企业边� �中,单击 “策略”。 企业帐户边� �中的“策略”选项卡

  3. 在“ 策略”下,单击“存储库”。 企业帐户设置侧边� �中的“存储库”选项卡

  4. Under "Repository invitations", review the information about changing the setting. (可选)若要在更改设置之前查看企业帐户中所有组织的当前配置,请单击 查看组织的当前配置查看企业中组织的当前策略配置的链接

  5. Under "Repository invitations", use the drop-down menu and choose a policy.

    Drop-down menu with invitation policy options

Enforcing a policy for the default branch name

Across all organizations owned by your enterprise, you can set the default branch name for any new repositories that members create. You can choose to enforce that default branch name across all organizations or allow individual organizations to set a different one.

  1. 在 GitHub Enterprise Server 的右上角,单击� 的个人资料照片,然后单击“企业设置”。 GitHub Enterprise Server 上个人资料照片下拉菜单中的“企业设置”
  2. 在企业边� �中,单击 “策略”。 企业帐户边� �中的“策略”选项卡
  3. On the Repository policies tab, under "Default branch name", enter the default branch name that new repositories should use. Text box for entering default branch name
  4. Optionally, to enforce the default branch name for all organizations in the enterprise, select Enforce across this enterprise. Enforcement checkbox
  5. Click Update. Update button

Enforcing a policy for changes to repository visibility

Across all organizations owned by your enterprise, you can allow members with admin access to change a repository's visibility, restrict repository visibility changes to organization owners, or allow owners to administer the setting on the organization level. When you prevent members from changing repository visibility, only enterprise owners can change the visibility of a repository.

If an enterprise owner has restricted repository creation to organization owners only, then members will not be able to change repository visibility. If an enterprise owner has restricted member repository creation to private repositories only, then members will only be able to change the visibility of a repository to private. For more information, see "Setting a policy for repository creation."

  1. 在 GitHub Enterprise Server 的右上角,单击� 的个人资料照片,然后单击“企业设置”。 GitHub Enterprise Server 上个人资料照片下拉菜单中的“企业设置”
  2. 在企业边� �中,单击 “策略”。 企业帐户边� �中的“策略”选项卡
  3. 在“ 策略”下,单击“存储库”。 企业帐户设置侧边� �中的“存储库”选项卡
  4. Under "Repository visibility change", review the information about changing the setting. (可选)若要在更改设置之前查看企业帐户中所有组织的当前配置,请单击 查看组织的当前配置查看企业中组织的当前策略配置的链接
  5. Under "Repository visibility change", use the drop-down menu and choose a policy. Drop-down menu with repository visibility policy options

Enforcing a policy for repository deletion and transfer

Across all organizations owned by your enterprise, you can allow members with admin permissions to delete or transfer a repository, restrict repository deletion and transfers to organization owners, or allow owners to administer the setting on the organization level.

  1. 在 GitHub Enterprise Server 的右上角,单击� 的个人资料照片,然后单击“企业设置”。 GitHub Enterprise Server 上个人资料照片下拉菜单中的“企业设置”

  2. 在企业边� �中,单击 “策略”。 企业帐户边� �中的“策略”选项卡

  3. 在“ 策略”下,单击“存储库”。 企业帐户设置侧边� �中的“存储库”选项卡

  4. Under "Repository deletion and transfer", review the information about changing the setting. (可选)若要在更改设置之前查看企业帐户中所有组织的当前配置,请单击 查看组织的当前配置查看企业中组织的当前策略配置的链接

  5. 在“Repository deletion and transfer(仓库� 除和转让)”下,使用下拉菜单选择策略。 包含存储库� 除策略选项的下拉菜单

Enforcing a policy for deleting issues

Across all organizations owned by your enterprise, you can allow members with admin access to delete issues in a repository, restrict issue deletion to organization owners, or allow owners to administer the setting on the organization level.

  1. 在 GitHub Enterprise Server 的右上角,单击� 的个人资料照片,然后单击“企业设置”。 GitHub Enterprise Server 上个人资料照片下拉菜单中的“企业设置”

  2. 在企业边� �中,单击 “策略”。 企业帐户边� �中的“策略”选项卡

  3. On the Repository policies tab, under "Repository issue deletion", review the information about changing the setting. (可选)若要在更改设置之前查看企业帐户中所有组织的当前配置,请单击 查看组织的当前配置查看企业中组织的当前策略配置的链接

  4. Under "Repository issue deletion", use the drop-down menu and choose a policy.

    Drop-down menu with issue deletion policy options

Enforcing a policy for Git push limits

To keep your repository size manageable and prevent performance issues, you can configure a file size limit for repositories in your enterprise.

By default, when you enforce repository upload limits, people cannot add or update files larger than 100 MB.

  1. 在 GitHub Enterprise Server 的右上角,单击� 的个人资料照片,然后单击“企业设置”。 GitHub Enterprise Server 上个人资料照片下拉菜单中的“企业设置”
  2. 在企业边� �中,单击 “策略”。 企业帐户边� �中的“策略”选项卡
  3. “策略” 下,单击“选项” 。 企业帐户设置侧边� �中的“选项”选项卡
  4. Under "Repository upload limit", use the drop-down menu and click a maximum object size. Drop-down menu with maximum object size options
  5. Optionally, to enforce a maximum upload limit for all repositories in your enterprise, select Enforce on all repositories Enforce maximum object size on all repositories option

Configuring the merge conflict editor for pull requests between repositories

Requiring users to resolve merge conflicts locally on their computer can prevent people from inadvertently writing to an upstream repository from a fork.

  1. 在 GitHub Enterprise Server 的右上角,单击� 的个人资料照片,然后单击“企业设置”。 GitHub Enterprise Server 上个人资料照片下拉菜单中的“企业设置”

  2. 在企业边� �中,单击 “策略”。 企业帐户边� �中的“策略”选项卡

  3. “策略” 下,单击“选项” 。 企业帐户设置侧边� �中的“选项”选项卡

  4. Under "Conflict editor for pull requests between repositories", use the drop-down menu, and click Disabled. Drop-down menu with option to disable the merge conflict editor

Configuring force pushes

Each repository inherits a default force push setting from the settings of the user account or organization that owns the repository. Each organization and user account inherits a default force push setting from the force push setting for the enterprise. If you change the force push setting for the enterprise, the policy applies to all repositories owned by any user or organization.

Blocking force pushes to all repositories

  1. 在 GitHub Enterprise Server 的右上角,单击� 的个人资料照片,然后单击“企业设置”。 GitHub Enterprise Server 上个人资料照片下拉菜单中的“企业设置”
  2. 在企业边� �中,单击 “策略”。 企业帐户边� �中的“策略”选项卡
  3. “策略” 下,单击“选项” 。 企业帐户设置侧边� �中的“选项”选项卡
  4. Under "Force pushes", use the drop-down menu, and click Allow, Block or Block to the default branch. Force pushes dropdown
  5. Optionally, select Enforce on all repositories, which will override organization and repository level settings for force pushes.

Blocking force pushes to a specific repository

注意:每个存储库自动从拥有它的组织或用户继承默认设置。 如果仓库所有者已在其所有仓库上强制执行设置,则您不能覆盖默认设置。

  1. Sign in to your GitHub Enterprise Server instance at http(s)://HOSTNAME/login.

  2. 从 GitHub Enterprise Server 上的管理帐户任意页面的右上角,单击

    用于访问站点管理员设置的火箭图� �的屏幕截图

  3. 如果� 尚未在“站点管理员”页上,请在左上角单击“站点管理员”。

    “站点管理员”链接的屏幕截图

  4. 在搜索字段中,键入存储库的名称,然后单击“搜索”。 站点管理员设置搜索字段

  5. 在搜索结果中,单击仓库名称。 站点管理设置搜索选项

  6. 在页面的右上角,单击 “管理员”。管理员工具

  7. 在左侧� �中,单击“管理员”。管理员工具

  8. Select Block or Block to the default branch under Push and Pull. Block force pushes

Blocking force pushes to repositories owned by a user account or organization

Repositories inherit force push settings from the user account or organization to which they belong. User accounts and organizations in turn inherit their force push settings from the force push settings for the enterprise.

You can override the default inherited settings by configuring the settings for a user account or organization.

  1. Sign in to your GitHub Enterprise Server instance at http(s)://HOSTNAME/login.

  2. 从 GitHub Enterprise Server 上的管理帐户任意页面的右上角,单击

    用于访问站点管理员设置的火箭图� �的屏幕截图

  3. 如果� 尚未在“站点管理员”页上,请在左上角单击“站点管理员”。

    “站点管理员”链接的屏幕截图

  4. 在搜索字段中,键入用户或组织的名称,然后单击“搜索”。 站点管理设置搜索字段

  5. 在搜索结果中,单击用户或组织的名称。 站点管理设置搜索选项

  6. 在页面的右上角,单击 “管理员”。管理员工具

  7. 在左侧� �中,单击“管理员”。管理员工具

  8. Under "Repository default settings" in the "Force pushes" section, select

    • Block to block force pushes to all branches.
    • Block to the default branch to only block force pushes to the default branch. Block force pushes

  9. Optionally, select Enforce on all repositories to override repository-specific settings. Note that this will not override an enterprise-wide policy. Block force pushes

Configuring anonymous Git read access

Warnings:

  • The Git protocol is unauthenticated and unencrypted. An attacker could intercept repository data transferred over connections using this protocol.
  • If you enable anonymous Git read access, you're responsible for all access and use of the feature. GitHub is not responsible for any unintended access, security risks, or misuse of the feature.
  • You may not use this feature to violate your license from GitHub, including the limit on the number of user licenses for your GitHub Enterprise Server instance.

If you have enabled private mode for your GitHub Enterprise Server instance, you can allow repository administrators to enable anonymous Git read access to public repositories.

Enabling anonymous Git read access allows users to bypass authentication for custom tools on your enterprise. When you or a repository administrator enable this access setting for a repository, unauthenticated Git operations (and anyone with network access to GitHub Enterprise Server) will have read access to the repository without authentication.

Anonymous Git read access is disabled by default.

If necessary, you can prevent repository administrators from changing anonymous Git access settings for repositories on your enterprise by locking the repository's access settings. After you lock a repository's Git read access setting, only a site administrator can change the setting.

要查看启用了匿名 Git 读取权限的仓库,请在站点管理仪表板中过滤仓库列表。

注意:

  • 不能更改复刻仓库的 Git 读取访问设置,� 为它们的访问设置默认继承自� �仓库。
  • 如果公共仓库变成私人,则匿名 Git 读取访问权限将对该仓库及其复刻自动禁用。
  • 如果使用匿名身份验证的仓库包含 Git LFS 资产,它将� 法下载 Git LFS 资产,� 为它们仍然需要身份验证。 强烈建议不要对包含 Git LFS 资产的仓库启用匿名 Git 读取访问。

Setting anonymous Git read access for all repositories

  1. 在 GitHub Enterprise Server 的右上角,单击� 的个人资料照片,然后单击“企业设置”。 GitHub Enterprise Server 上个人资料照片下拉菜单中的“企业设置”

  2. 在企业边� �中,单击 “策略”。 企业帐户边� �中的“策略”选项卡

  3. “策略” 下,单击“选项” 。 企业帐户设置侧边� �中的“选项”选项卡

  4. Under "Anonymous Git read access", use the drop-down menu, and click Enabled. Anonymous Git read access drop-down menu showing menu options "Enabled" and "Disabled"

  5. Optionally, to prevent repository admins from changing anonymous Git read access settings in all repositories on your enterprise, select Prevent repository admins from changing anonymous Git read access. Select checkbox to prevent repository admins from changing anonymous Git read access settings for all repositories on your enterprise

Setting anonymous Git read access for a specific repository

  1. 从 GitHub Enterprise Server 上的管理帐户任意页面的右上角,单击

    用于访问站点管理员设置的火箭图� �的屏幕截图

  2. 如果� 尚未在“站点管理员”页上,请在左上角单击“站点管理员”。

    “站点管理员”链接的屏幕截图

  3. 在搜索字段中,键入存储库的名称,然后单击“搜索”。 站点管理员设置搜索字段

  4. 在搜索结果中,单击仓库名称。 站点管理设置搜索选项

  5. 在页面的右上角,单击 “管理员”。管理员工具

  6. 在左侧� �中,单击“管理员”。管理员工具

  7. Under "Danger Zone", next to "Enable Anonymous Git read access", click Enable. "Enabled" button under "Enable anonymous Git read access" in danger zone of a repository's site admin settings

  8. Review the changes. To confirm, click Yes, enable anonymous Git read access. Confirm anonymous Git read access setting in pop-up window

  9. Optionally, to prevent repository admins from changing this setting for this repository, select Prevent repository admins from changing anonymous Git read access. Select checkbox to prevent repository admins from changing anonymous Git read access for this repository