Add repository permissions to custom organization roles

You can now add repository permissions to custom organization roles, granting a specific level of access to all the repositories in your organization.

This builds on the release of organization-wide permission grants in GitHub’s pre-defined organization roles. These updates enable admins to easily scale access management across large teams and organizations.

Creating a custom organization role using the new repository permissions. The role is based on the Write base role, and adds 3 permissions - delete issues, request solo merge, and update repo properties

Using repository permissions in organization roles

Organization roles do not have to contain organization permissions (i.e. read_org_audit_log) in order to include a repository role and permissions (i.e. close_issue). This lets you create your own versions of the pre-defined organization base roles like Write or Triage, assigning those roles to everyone in your organization to ensure a set standard of access that matches your requirements.

A popular use case is to create elevated roles for your on-call rotation. For instance, a role based on Write with the “Jump the merge queue” and “Request a solo merge” repository permissions added so that your on-call team can get that fixed quickly. Using the APIs you can automate assignment of this role to your current on-call, granting them those elevated permissions as a break-glass or shift-based privilege.

Managing repository access

Both the UI for organization role creation and the REST API have been updated to support repository permissions.

In addition, we’ve updated the repository access management page to distinguish between access granted by the repository owner to a user or team versus organization-wide grants made by the organization owner. This helps explain how a user got access to a specific repository.

The new repository collaborators view, showing the organization based access.

For more information, see GitHub’s documentation as well as the REST API methods for automating role creation and assignment.

Unkey is now a GitHub secret scanning partner

For Unkey users, GitHub secret scanning now scans for Unkey tokens to help secure your public repositories. Unkey’s Root API Key enables users to create and manage Unkey resources including APIs, API keys, global rate limiting, and access controls. GitHub will forward any exposed tokens found in public repositories to Unkey, who will then revoke the compromised tokens and notify the affected users. Read more information about Unkey tokens.

GitHub secret scanning protects users by searching repositories for known types of secrets such as tokens and private keys. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

GitHub Advanced Security customers can also scan for and block Unkey tokens in their private repositories.

See more

Secret scanning fine-grained permissions for bypasses

You can now grant fine-grained permissions to review and manage push protection bypass requests within your organization.

Anyone with this permission will have the ability to approve and manage the list of bypass requests. You can still also grant these permissions by adding roles or teams to the “Bypass list” in your code security and analysis settings.

Next month, GitHub will be removing custom role support from the bypass list along with this change. To avoid disruption, existing custom roles that were added as bypass reviewers previously will be granted the fine grained permissions to review and manage bypass requests.

Delegated bypasses for secret scanning push protection allow organizations and repositories to control who can push commits that contain secrets. Developers can request approval from authorized users to push a blocked secret.

Learn more

Learn more about how to secure your repositories with secret scanning. Let us know what you think by participating in the dedicated GitHub community discussion or signing up for a 60 minute feedback session.

See more
View all changes