Enforcing repository management policies in your enterprise

You can enforce policies for repository management within your enterprise's organizations, or allow policies to be set in each organization.

Who can use this feature?

Enterprise owners can enforce policies for repository management in an enterprise.

In this article

About policies for repository management in your enterprise

You can enforce policies to control how members of your enterprise manage repositories. You can also allow organization owners to manage policies for repository management.

Note

This page describes the policies you can set on the "Member privileges" page in your enterprise settings. Certain restrictions, such as who can create, delete, or transfer repositories, are also available in a repository policy. Repository policies give you more flexibility over which users are affected and which organizations and repositories are targeted. See Governing how people use repositories in your enterprise.

Enforcing a policy for base repository permissions

Across all organizations owned by your enterprise, you can set a base repository permission level (none, read, write, or admin) for organization members, or allow owners to administer the setting on the organization level.

  1. In the top-right corner of GitHub, click your profile picture.

  2. Depending on your environment, click Your enterprise, or click Your enterprises then click the enterprise you want to view.

  3. At the top of the page, click Policies.

  4. Under " Policies", click Member privileges.

  5. Under "Base permissions", review the information about changing the setting. Optionally, to view the current configuration for all organizations in the enterprise account before you change the setting, click View your organizations' current configurations.

    Screenshot of a policy in the enterprise settings. A link, labeled "View your organizations' current configurations", is outlined.

  6. Under "Base permissions", select the dropdown menu and click a policy.

Note

Internal repositories have a minimum visibility level of read, even if the base permission has been set to none.

Enforcing a policy for repository creation

Across all organizations owned by your enterprise, you can allow members to create repositories, restrict repository creation to organization owners, or allow owners to administer the setting on the organization level.

If you allow members to create repositories in your organizations, you can choose which types of repositories (public, private, and internal) that members can create.

If your enterprise uses Enterprise Managed Users, you can also prevent users from creating repositories owned by their user accounts. If you allow users to create repositories owned by their user accounts, you can view and temporarily access those repositories at any time. For more information, see Viewing user-owned repositories in your enterprise and Accessing user-owned repositories in your enterprise.

Internal repositories are the default setting for all new repositories created in an organization owned by an enterprise account. For more information about internal repositories, see Creating a new repository.

Organization owners can always create any type of repository, and outside collaborators can never create any type of repository. For more information, see About repositories.

  1. In the top-right corner of GitHub, click your profile picture.

  2. Depending on your environment, click Your enterprise, or click Your enterprises then click the enterprise you want to view.

  3. At the top of the page, click Policies.

  4. Under " Policies", click Member privileges.

  5. Under "Repository creation", review the information about changing the setting. Optionally, to view the current configuration for all organizations in the enterprise account before you change the setting, click View your organizations' current configurations.

    Screenshot of a policy in the enterprise settings. A link, labeled "View your organizations' current configurations", is outlined.

  6. Under "Repository creation", select a policy.

  7. If you selected Members can create repositories, select one or more repository types.

  8. Optionally, if your enterprise uses Enterprise Managed Users and you want to prevent enterprise members from creating repositories owned by their user accounts, select Block the creation of user namespace repositories.

Enforcing a policy for forking private or internal repositories

Across all organizations owned by your enterprise, you can allow people with access to a private or internal repository to fork the repository, never allow forking of private or internal repositories, or allow owners to administer the setting on the organization level.

People with admin permissions can set a more granular forking policy. For more information, see Managing the forking policy for your organization.

Note

If your enterprise uses Enterprise Managed Users and your "Repository creation" policy prevents enterprise members from creating repositories owned by their user accounts, members will not be allowed to fork a repository in their user accounts, regardless of your "Repository forking" policy.

  1. In the top-right corner of GitHub, click your profile picture.

  2. Depending on your environment, click Your enterprise, or click Your enterprises then click the enterprise you want to view.

  3. At the top of the page, click Policies.

  4. Under " Policies", click Member privileges.

  5. Under "Repository forking", review the information about changing the setting. Optionally, to view the current configuration for all organizations in the enterprise account before you change the setting, click View your organizations' current configurations.

    Screenshot of a policy in the enterprise settings. A link, labeled "View your organizations' current configurations", is outlined.

  6. Under "Repository forking", select the dropdown menu and click a policy.

  7. If forking is enabled, select a policy for where users are allowed to fork repositories.

Enforcing a policy for inviting outside collaborators to repositories

Note

If your enterprise uses managed user accounts, the outside collaborator role is called "repository collaborator." Generally, the documentation for outside collaborators also applies to repository collaborators. For the distinctions that apply, see Roles in an organization.

Across all organizations owned by your enterprise, you can allow members to invite outside collaborators to repositories, restrict outside collaborator invitations to organization owners, restrict outside collaborator invitations to enterprise owners, or allow organization owners to administer the setting on the organization level.

  1. In the top-right corner of GitHub, click your profile picture.

  2. Depending on your environment, click Your enterprise, or click Your enterprises then click the enterprise you want to view.

  3. At the top of the page, click Policies.

  4. Under " Policies", click Member privileges.

  5. Under "Repository outside collaborators", review the information about changing the setting. Optionally, to view the current configuration for all organizations in the enterprise account before you change the setting, click View your organizations' current configurations.

    Screenshot of a policy in the enterprise settings. A link, labeled "View your organizations' current configurations", is outlined.

  6. Under "Repository outside collaborators", select the dropdown menu and click a policy.

Enforcing a policy for the default branch name

Across all organizations owned by your enterprise, you can set the default branch name for any new repositories that members create. You can choose to enforce that default branch name across all organizations or allow individual organizations to set a different one.

  1. In the top-right corner of GitHub, click your profile picture.
  2. Depending on your environment, click Your enterprise, or click Your enterprises then click the enterprise you want to view.
  3. At the top of the page, click Policies.
  4. Under " Policies", click Member privileges.
  5. Under "Default branch name", enter the default branch name that new repositories should use.
  6. Optionally, to enforce the default branch name for all organizations in the enterprise, select Enforce across this enterprise.
  7. Click Update.

Enforcing a policy for deploy keys

Across all organizations owned by your enterprise, you can allow members to create deploy keys in repositories, restrict deploy key creation, or allow owners to administer the setting on the organization level.

For more information about using deploy keys, see Managing deploy keys. If you want fine-grained control over permissions, consider using a GitHub App instead. See GitHub Apps overview.

Warning

Changing this setting to disabled will result in existing deploy keys being disabled in all repositories in the enterprise. Scripts, apps, or workflows that create, use, or delete deploy keys will no longer work.

  1. In the top-right corner of GitHub, click your profile picture.
  2. Depending on your environment, click Your enterprise, or click Your enterprises then click the enterprise you want to view.
  3. At the top of the page, click Policies.
  4. Under " Policies", click Member privileges.
  5. Under "Deploy keys", review the information about changing the setting, then select a policy.
  6. Click Save.

Enforcing a policy for changes to repository visibility

Across all organizations owned by your enterprise, you can allow members with admin access to change a repository's visibility, restrict repository visibility changes to organization owners, or allow owners to administer the setting on the organization level. When you prevent members from changing repository visibility, only enterprise owners can change the visibility of a repository.

If an enterprise owner has restricted repository creation to organization owners only, then members will not be able to change repository visibility. For more information, see Enforcing a policy for repository creation.

  1. In the top-right corner of GitHub, click your profile picture.

  2. Depending on your environment, click Your enterprise, or click Your enterprises then click the enterprise you want to view.

  3. At the top of the page, click Policies.

  4. Under " Policies", click Member privileges.

  5. Under "Repository visibility change", review the information about changing the setting. Optionally, to view the current configuration for all organizations in the enterprise account before you change the setting, click View your organizations' current configurations.

    Screenshot of a policy in the enterprise settings. A link, labeled "View your organizations' current configurations", is outlined.

  6. Under "Repository visibility change", select the dropdown menu and click a policy.

Enforcing a policy for repository deletion and transfer

Across all organizations owned by your enterprise, you can allow members with admin permissions to delete or transfer a repository, restrict repository deletion and transfers to organization owners, or allow owners to administer the setting on the organization level.

  1. In the top-right corner of GitHub, click your profile picture.

  2. Depending on your environment, click Your enterprise, or click Your enterprises then click the enterprise you want to view.

  3. At the top of the page, click Policies.

  4. Under " Policies", click Member privileges.

  5. Under "Repository deletion and transfer", review the information about changing the setting. Optionally, to view the current configuration for all organizations in the enterprise account before you change the setting, click View your organizations' current configurations.

    Screenshot of a policy in the enterprise settings. A link, labeled "View your organizations' current configurations", is outlined.

  6. Under "Repository deletion and transfer", select the dropdown menu and click a policy.

Enforcing a policy for deleting issues

Across all organizations owned by your enterprise, you can allow members with admin access to delete issues in a repository, restrict issue deletion to organization owners, or allow owners to administer the setting on the organization level.

  1. In the top-right corner of GitHub, click your profile picture.

  2. Depending on your environment, click Your enterprise, or click Your enterprises then click the enterprise you want to view.

  3. At the top of the page, click Policies.

  4. Under " Policies", click Member privileges.

  5. Under "Repository issue deletion", review the information about changing the setting. Optionally, to view the current configuration for all organizations in the enterprise account before you change the setting, click View your organizations' current configurations.

    Screenshot of a policy in the enterprise settings. A link, labeled "View your organizations' current configurations", is outlined.

  6. Under "Repository issue deletion", select the dropdown menu and click a policy.