This version of GitHub Enterprise will be discontinued on This version of GitHub Enterprise was discontinued on 2020-08-20. No patch releases will be made, even for critical security issues. For better performance, improved security, and new features, upgrade to the latest version of GitHub Enterprise. For help with the upgrade, contact GitHub Enterprise support.

Article version: Enterprise Server 2.18

Enforcing repository management policies in your enterprise

Enterprise owners can enforce certain repository management policies for all organizations owned by an enterprise account, or allow policies to be set in each organization.

In this article

Configuring the default visibility of new repositories on your appliance

Each time someone creates a new repository on your GitHub Enterprise Server instance, that person must choose a visibility for the repository. When you configure a default visibility setting for the instance, you choose which visibility is selected by default. For more information on repository visibility, see "About repository visibility."

If a site administrator disallows members from creating certain types of repositories, members will not be able to create that type of repository even if the visibility setting defaults to that type. For more information, see "Restricting repository creation in your instance."

Tip: You can restrict the ability to change repository visibility to site administrators only. For more information, see "Preventing users from changing a repository's visibility."

  1. In the upper-right corner of any page, click .
    Rocketship icon for accessing site admin settings
  2. In the left sidebar, click Enterprise.
    Enterprise tab in the Site admin settings
  3. In the enterprise account sidebar, click Settings.
    Settings tab in the enterprise account sidebar
  4. Under " Settings", click Options.
    Options tab in the enterprise account settings sidebar
  5. Under "Default repository visibility", use the drop-down menu and select a default visibility.
    Drop-down menu to choose the default repository visibility for your instance

Warning: If you add an image attachment to a pull request or issue comment, anyone can view the anonymized image URL without authentication, even if the pull request is in a private repository, or if private mode is enabled. To keep sensitive images private, serve them from a private network or server that requires authentication.

Setting a policy for changing a repository's visibility

When you prevent members from changing repository visibility, only site administrators have the ability to make public repositories private or make private repositories public.

If a site administrator has restricted repository creation to organization owners only, then members will not be able to change repository visibility. If a site administrator has restricted member repository creation to private repositories only, then members will only be able to change repositories from public to private. For more information, see "Setting a policy for repository creation."

  1. In the upper-right corner of any page, click .

    Rocketship icon for accessing site admin settings

  2. In the left sidebar, click Enterprise.

    Enterprise tab in the Site admin settings

  3. In the enterprise account sidebar, click Policies.

    Policies tab in the enterprise account sidebar

  4. Under " Policies", click Repositories.

    Repositories tab in the enterprise account settings sidebar

  5. Under "Repository visibility change", review the information about changing the setting. Optionally, to view the setting's current configuration for all organizations in the enterprise account before enforcing the setting, click View your organizations' current configurations.

    Link to view the current policy configuration for organizations in the business

  6. Under "Repository visibility change", use the drop-down menu and choose a policy.

    Drop-down menu with repository visibility policy options

Setting a policy for repository creation

Organization owners can always create any type of repository, and outside collaborators can never create any type of repository. For more information, see "About repository visibility."

  1. In the upper-right corner of any page, click .

    Rocketship icon for accessing site admin settings

  2. In the left sidebar, click Enterprise.

    Enterprise tab in the Site admin settings

  3. In the enterprise account sidebar, click Policies.

    Policies tab in the enterprise account sidebar

  4. Under " Policies", click Repositories.

    Repositories tab in the enterprise account settings sidebar

  5. Under "Repository creation", review the information about changing the setting. Optionally, to view the setting's current configuration for all organizations in the enterprise account before enforcing the setting, click View your organizations' current configurations.

    Link to view the current policy configuration for organizations in the business

  6. Under "Repository creation", use the drop-down menu and choose a policy.

    Drop-down menu with repository creation policies

Setting a policy for repository deletion and transfer

  1. In the upper-right corner of any page, click .

    Rocketship icon for accessing site admin settings

  2. In the left sidebar, click Enterprise.

    Enterprise tab in the Site admin settings

  3. In the enterprise account sidebar, click Policies.

    Policies tab in the enterprise account sidebar

  4. Under " Policies", click Repositories.

    Repositories tab in the enterprise account settings sidebar

  5. Under "Repository deletion and transfer", review the information about changing the setting. Optionally, to view the setting's current configuration for all organizations in the enterprise account before enforcing the setting, click View your organizations' current configurations.

    Link to view the current policy configuration for organizations in the business

  6. Under "Repository deletion and transfer", use the drop-down menu and choose a policy.

    Drop-down menu with repository deletion policy options

Setting a policy for Git push limits

To keep your repository size manageable and prevent performance issues, you can configure a file size limit for repositories on your instance.

By default, when you enforce repository upload limits, people cannot add or update files larger than 100 MB.

Note: Only files larger than 50 MB will be checked against the Git push limit. If you need to set a lower push limit, contact GitHub Enterprise Support or GitHub Premium Support for assistance.

  1. In the upper-right corner of any page, click .
    Rocketship icon for accessing site admin settings
  2. In the left sidebar, click Enterprise.
    Enterprise tab in the Site admin settings
  3. In the enterprise account sidebar, click Settings.
    Settings tab in the enterprise account sidebar
  4. Under " Settings", click Options.
    Options tab in the enterprise account settings sidebar
  5. Under "Repository upload limit", use the drop-down menu and click a maximum object size.
    Drop-down menu with maximum object size options
  6. Optionally, to enforce a maximum upload limit for all repositories on your GitHub Enterprise Server instance, select Enforce on all repositories
    Enforce maximum object size on all repositories option

Configuring the merge conflict editor for pull requests between repositories

Requiring users to resolve merge conflicts locally on their computer can prevent people from inadvertently writing to an upstream repository from a fork.

  1. In the upper-right corner of any page, click .
    Rocketship icon for accessing site admin settings
  2. In the left sidebar, click Enterprise.
    Enterprise tab in the Site admin settings
  3. In the enterprise account sidebar, click Settings.
    Settings tab in the enterprise account sidebar
  4. Under " Settings", click Options.
    Options tab in the enterprise account settings sidebar
  5. Under "Conflict editor for pull requests between repositories", use the drop-down menu, and click Disabled.
    Drop-down menu with option to disable the merge conflict editor

Configuring force pushes

Each repository inherits a default force push setting from the settings of the user account or organization to which it belongs. Likewise, each organization and user account inherits a default force push setting from the force push setting for the entire appliance. If you change the force push setting for the appliance, it will change for all repositories owned by any user or organization.

Blocking all force pushes on your appliance

  1. In the upper-right corner of any page, click .
    Rocketship icon for accessing site admin settings
  2. In the left sidebar, click Enterprise.
    Enterprise tab in the Site admin settings
  3. In the enterprise account sidebar, click Settings.
    Settings tab in the enterprise account sidebar
  4. Under " Settings", click Options.
    Options tab in the enterprise account settings sidebar
  5. Under "Force pushes", use the drop-down menu, and click Allow, Block or Block to the default branch.
    Force pushes dropdown
  6. Optionally, select Enforce on all repositories, which will override organization and repository level settings for force pushes.

Blocking force pushes to a specific repository

Note: Each repository automatically inherits default settings from the organization or user that owns it. You cannot override the default setting if the repository's owner has enforced the setting on all of their repositories.

  1. Sign in to your GitHub Enterprise Server instance at http(s)://HOSTNAME/login.
  2. In the upper-right corner of any page, click .
    Rocketship icon for accessing site admin settings
  3. In the search field, type the name of the repository and click Search.
    Site admin settings search field
  4. In the search results, click the name of the repository.
    Site admin settings search options
  5. In the upper-right corner of the page, click Admin.
    Admin Tools
  6. In the left sidebar, click Admin.
    Admin Tools
  7. Select Block or Block to the default branch under Push and Pull.
    Block force pushes

Blocking force pushes to repositories owned by a user account or organization

Repositories inherit force push settings from the user account or organization to which they belong. User accounts and organizations in turn inherit their force push settings from the force push settings for the entire appliance.

You can override the default inherited settings by configuring the settings for a user account or organization.

  1. Sign in to your GitHub Enterprise Server instance at http(s)://HOSTNAME/login.
  2. In the upper-right corner of any page, click .
    Rocketship icon for accessing site admin settings
  3. In the search field, type the name of the user or organization and click Search.
    Site admin settings search field
  4. In the search results, click the name of the user or organization.
    Site admin settings search options
  5. In the upper-right corner of the page, click Admin.
    Admin Tools
  6. In the left sidebar, click Admin.
    Admin Tools
  7. Under "Repository default settings" in the "Force pushes" section, select
    • Block to block force pushes to all branches.
    • Block to the default branch to only block force pushes to the default branch.
      Block force pushes
  8. Optionally, select Enforce on all repositories to override repository-specific settings. Note that this will not override an appliance-wide policy.
    Block force pushes

Configuring anonymous Git read access

Note: If you enable anonymous Git read access, you're responsible for all access and use of this feature. GitHub will not be responsible for any unintended access or misuse of the feature. Also, you may not use this feature to violate your license from GitHub, including the limit on the number of user licenses you've ordered from us.

If you have enabled private mode on your instance, you can allow repository administrators to enable anonymous Git read access to public repositories.

Enabling anonymous Git read access allows users to bypass authentication for custom tools on your instance. When you or a repository administrator enable this access setting for a repository, unauthenticated Git operations (and anyone with network access to GitHub Enterprise Server) will have read access to the repository without authentication.

If necessary, you can prevent repository administrators from changing anonymous Git access settings for repositories on your GitHub Enterprise Server instance by locking the repository's access settings. After you lock a repository's Git read access setting, only a site administrator can change the setting.

To see the repositories with anonymous Git read access enabled, filter the repositories list in the site admin dashboard.

Notes:

  • You cannot change the Git read access settings for forked repositories since they inherit their access settings from the root repository by default.
  • If a public repository becomes private, then anonymous Git read access will automatically be disabled for that repository and it forks.
  • If a repository with anonymous authentication contains Git LFS assets, it will fail to download the Git LFS assets since they still require authentication. We strongly recommend not enabling anonymous Git read access for a repository with Git LFS assets.

Setting anonymous Git read access for all repositories

  1. In the upper-right corner of any page, click .
    Rocketship icon for accessing site admin settings
  2. In the left sidebar, click Enterprise.
    Enterprise tab in the Site admin settings
  3. In the enterprise account sidebar, click Settings.
    Settings tab in the enterprise account sidebar
  4. Under " Settings", click Options.
    Options tab in the enterprise account settings sidebar
  5. Under "Anonymous Git read access", use the drop-down menu, and click Enabled.
    Anonymous Git read access drop-down menu showing menu options "Enabled" and "Disabled"
  6. Optionally, to prevent repository admins from changing anonymous Git read access settings in all repositories on your instance, select Prevent repository admins from changing anonymous Git read access.
    Select checkbox to prevent repository admins from changing anonymous Git read access settings for all repositories on your instance

Setting anonymous Git read access for a specific repository

  1. In the upper-right corner of any page, click .
    Rocketship icon for accessing site admin settings
  2. In the search field, type the name of the repository and click Search.
    Site admin settings search field
  3. In the search results, click the name of the repository.
    Site admin settings search options
  4. In the upper-right corner of the page, click Admin.
    Admin Tools
  5. In the left sidebar, click Admin.
    Admin Tools
  6. Under "Danger Zone", next to "Enable Anonymous Git read access", click Enable.
    "Enabled" button under "Enable anonymous Git read access" in danger zone of a repository's site admin settings
  7. Review the changes. To confirm, click Yes, enable anonymous Git read access.
    Confirm anonymous Git read access setting in pop-up window
  8. Optionally, to prevent repository admins from changing this setting for this repository, select Prevent repository admins from changing anonymous Git read access.
    Select checkbox to prevent repository admins from changing anonymous Git read access for this repository

Ask a human

Can't find what you're looking for?

Contact us