When we create a project, we are so focused on the project itself that we forget to think about its Github repository configuration. Actually, I believe we shouldn’t bother at all, but create a tool to automatise that process and ensure our zillion of projects follow a standard setup.
One small mistake such as configuring a company repository as public could expose loads of private and critical content to the whole world. In this post, I would like to share how you can create a tool to handle repository configuration using PyGithub and show some useful configurations.
You can easily build a cli or Lambda function using PyGithub, I have created a Lambda function at Gousto to help engineers to setup Github repositories for mainly two reasons:
- Easy access: engineers can easily invoke Lambda functions from either a terminal or AWS UI.
- Security: we want to save the token to access Github API in a safe place (AWS Parameter Store) and ensure that all engineers are using the same one.
To get started with PyGithub, we need to create an access token following the step-by-step on Creating a Personal Access Token. With a token on hands, we can instantiate a Github instance which works as an interface to access Github API.
Creating a Repository
To create a repository, we need to instantiate an Organization class which provides create_repo method. We can configure a bunch of attributes such as name, description, homepage, git ignore file and repository visibility. You can check a full list of attributes on here.
As we are a private organization, we configure repositories as private by default as shown in the snippet code below.
Branch Protection Rules
This is a nice feature from Github that help us to enforce certain workflow for one or more branches, such as requiring an approving review or passing status checks for all pull requests. On the example below, a pull request can only be merged to
BRANCH_DEVELOP if all Circle CI jobs succeed.
Please check it out Branch.edit_protection for a full list of attributes that can be configured.
Who can access a repository? What are the permissions for users and teams? Github allows us to define the following permissions per person or team.
- pull - team members can pull, but not push to or administer a repository.
- push - team members can pull and push, but not administer a repository.
- admin - team members can pull, push and administer a repository.
- maintain - team members can manage the repository without access to sensitive or destructive actions.
- triage - team members can proactively manage issues and pull requests without write access.
On the example below, every squad of the company has a corresponding team on Github and developers team contain all engineers of the company. We grant admin access to the team and push to others.
- PygGithub has a great documentation, but sometimes it worths checking the Github API directly to figure out some attributes.
- Build a tool with some default values, but allow users to customise some arguments.
- Create configuration applicable for teams instead of individuals, admin work can grow exponentially if you need to setup rules for each member of an organisation.
- Create a company token to access Github API and store that in a safe place.
This post shows how to create some tooling to configure Github repositories using PyGithub and a couple of simple but powerful setups. I hope this helps you to get started with your own python project and ensure your zillion of projects follow the same standard.
Have an interesting configuration for your repositories? Don’t hesitate to share that on the comments ☺