Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Repo sync #35055

Merged
merged 2 commits into from
Oct 23, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,24 @@
1. Optionally, to enforce the default branch name for all organizations in the enterprise, select **Enforce across this enterprise**.
1. Click **Update**.

{% ifversion deploy-keys-enterprise-org-policy %}

## Enforcing a policy for deploy keys

Across all organizations owned by your enterprise, you can allow members to create deploy keys in repositories, restrict deploy key creation, or allow owners to administer the setting on the organization level.

For more information about using deploy keys, see "[AUTOTITLE](/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys)." If you want fine-grained control over permissions, consider using a {% data variables.product.prodname_github_app %} instead. See "[AUTOTITLE](/apps/overview)."

> [!WARNING]
> Changing this setting to disabled will result in **existing deploy keys being disabled** in all repositories in the enterprise. Scripts, apps, or workflows that create, use, or delete deploy keys will no longer work.

{% data reusables.enterprise-accounts.access-enterprise %}
{% data reusables.enterprise-accounts.policies-tab %}
{% data reusables.enterprise-accounts.repositories-tab %}
1. Under "Deploy keys", review the information about changing the setting, then select a policy.
1. Click **Save**.
{% endif %}

## Enforcing a policy for changes to repository visibility

Across all organizations owned by your enterprise, you can allow members with admin access to change a repository's visibility, restrict repository visibility changes to organization owners, or allow owners to administer the setting on the organization level. When you prevent members from changing repository visibility, only enterprise owners can change the visibility of a repository.
Expand Down Expand Up @@ -219,7 +237,7 @@
1. Under "Allow members to see the comment author's profile name in public and internal repositories", select the dropdown menu and click a policy.
1. Optionally, to enforce the display of profile names for all repositories in your enterprise, select **Enforce for all repositories on the instance**.

![Screenshot of the "Allow members to see the comment author's profile name in public and internal repositories" policy section. The "Enforce on all repositories" checkbox is highlighted with an orange outline.](/assets/images/enterprise/site-admin-settings/enforce-for-all-repositories-option.png)

Check warning on line 240 in content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise.md

View workflow job for this annotation

GitHub Actions / lint-content

Images alternate text should be between 40-150 characters

Image alternate text is 208 characters long.

{% endif %}

Expand Down Expand Up @@ -317,7 +335,7 @@
{% data reusables.enterprise_site_admin_settings.admin-top-tab %}
1. Under "Danger Zone", next to "Enable Anonymous Git read access", click **Enable**.

![Screenshot of the "Danger Zone" section of a repository's site admin settings. To the right of "Enable anonymous Git read access", the "Enable" button is highlighted with an orange outline.](/assets/images/enterprise/site-admin-settings/site-admin-enable-anonymous-git-read-access.png)

Check warning on line 338 in content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise.md

View workflow job for this annotation

GitHub Actions / lint-content

Images alternate text should be between 40-150 characters

Image alternate text is 189 characters long.
1. Review the changes. To confirm, click **Yes, enable anonymous Git read access.**
1. Optionally, to prevent repository admins from changing this setting for this repository, select **Prevent repository admins from disabling anonymous Git read access**.
{% endif %}
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,8 @@ See [our guide on creating a {% data variables.product.pat_generic %}](/authenti

{% data reusables.repositories.deploy-keys-write-access %}

For enhanced security and fine-grained control over repository access and permissions, we recommend using a GitHub App instead. See "[AUTOTITLE](/apps/creating-github-apps/about-creating-github-apps/deciding-when-to-build-a-github-app#github-apps-offer-enhanced-security)."

### Pros of deploy keys

* Anyone with access to the repository and server has the ability to deploy the project.
Expand All @@ -79,10 +81,16 @@ See [our guide on creating a {% data variables.product.pat_generic %}](/authenti

* Deploy keys only grant access to a single repository. More complex projects may have many repositories to pull to the same server.
* Deploy keys are usually not protected by a passphrase, making the key easily accessible if the server is compromised.
* If the user who created the deploy key is removed from the repository, the deploy key will still be active as it isn't tied to the specific user, but rather to the repository.
* Deploy keys are credentials that don't have an expiry date.
* Deploy keys aren't linked directly to organization membership. If the user who created the deploy key is removed from the repository, the deploy key will still be active as it isn't tied to the specific user, but rather to the repository.

### Set up deploy keys

{% ifversion deploy-keys-enterprise-org-policy %}

> [!NOTE] If your organization is owned by an enterprise, and your enterprise owner has restricted the use of deploy keys in repositories, then you cannot override the policy in your organization to create a deploy key. For more information, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-deploy-keys)."
{% endif %}

1. [Run the `ssh-keygen` procedure][generating-ssh-keys] on your server, and remember where you save the generated public and private rsa key pair.
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-settings %}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,9 @@ Disable the ability to fork repositories. | "[AUTOTITLE](/repositories/managing-
Disable changing repository visibility. | "[AUTOTITLE](/organizations/managing-organization-settings/restricting-repository-visibility-changes-in-your-organization)"
Restrict repository creation to private or internal. | "[AUTOTITLE](/organizations/managing-organization-settings/restricting-repository-creation-in-your-organization)"
Disable repository deletion and transfer. | "[AUTOTITLE](/organizations/managing-organization-settings/setting-permissions-for-deleting-or-transferring-repositories)"
| {% ifversion deploy-keys-enterprise-org-policy %} |
Disable the ability to use deploy keys. | "[AUTOTITLE](/organizations/managing-organization-settings/restricting-deploy-keys-in-your-organization)"
| {% endif %} |
Scope {% data variables.product.pat_generic %}s to the minimum permissions necessary. | None
Secure your code by converting public repositories to private whenever appropriate. You can alert the repository owners of this change automatically using a {% data variables.product.prodname_github_app %}. | [Prevent-Public-Repos](https://github.com/apps/prevent-public-repos) in {% data variables.product.prodname_marketplace %}
Confirm your organization’s identity by verifying your domain and restricting email notifications to only verified email domains. | "[AUTOTITLE](/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization){% ifversion ghec or ghes %}" and "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization){% endif %}"{% ifversion fpt or ghec %}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ children:
- /enabling-or-disabling-github-discussions-for-an-organization
- /managing-discussion-creation-for-repositories-in-your-organization
- /managing-the-commit-signoff-policy-for-your-organization
- /restricting-deploy-keys-in-your-organization
- /setting-team-creation-permissions-in-your-organization
- /creating-an-announcement-banner-for-your-organization
- /managing-scheduled-reminders-for-your-organization
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
---
title: Restricting deploy keys in your organization
intro: To protect your organization's data, you can configure permissions for creating deploy keys in your organization.
permissions: Organization owners.
versions:
feature: deploy-keys-enterprise-org-policy
topics:
- Organizations
- Policies
shortTitle: Restrict deploy keys
---

You can choose whether members can create deploy keys for repositories in your organization.

By default, new organizations are configured to disallow the creation of deploy keys in repositories.

Organization owners can restrict the creation of deploy keys to help prevent sensitive information from being exposed. For more information, see "[AUTOTITLE](/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization)" and "[AUTOTITLE](/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys)." If you want more fine-grained control over permissions, consider using a {% data variables.product.prodname_github_app %} instead. See "[AUTOTITLE](/apps/overview)."

If your organization is owned by an enterprise account, you may not be able to configure this setting for your organization, if an enterprise owner has set a policy at the enterprise level. For more information, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-deploy-keys)."

> [!WARNING]
> Changing this setting to disabled will result in **existing deploy keys being disabled** in all repositories in the organization. Scripts, apps, or workflows that create, use, or delete deploy keys will no longer work.

{% data reusables.profile.access_org %}
{% data reusables.profile.org_settings %}
{% data reusables.profile.org_member_privileges %}
1. Under "Deploy keys", review the information about changing the setting, click **Enabled** or **Disabled**.
1. Click **Save**.
5 changes: 5 additions & 0 deletions content/rest/deploy-keys/deploy-keys.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,11 @@ autogenerated: rest

Deploy keys can either be set up using the following API endpoints, or by using the {% data variables.product.company_short %} web interface. To learn how to set deploy keys up in the web interface, see "[AUTOTITLE](/authentication/connecting-to-github-with-ssh/managing-deploy-keys)."

{% ifversion deploy-keys-enterprise-org-policy %}

You may be unable to create deploy keys if your organization or enterprise owner has set a policy to restrict their use. Furthermore, if this policy is enabled at the organization or enterprise level, existing deploy keys may be disabled. For more information, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-deploy-keys)" and "[AUTOTITLE](/organizations/managing-organization-settings/restricting-deploy-keys-in-your-organization)."
{% endif %}

There are a few cases when a deploy key will be deleted by other activity:

* If the deploy key is created with a {% data variables.product.pat_generic %}, deleting the {% data variables.product.pat_generic %} will also delete the deploy key. Regenerating the {% data variables.product.pat_generic %} will not delete the deploy key.
Expand Down
5 changes: 5 additions & 0 deletions data/features/deploy-keys-enterprise-org-policy.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# Reference: #15666
# Repo deploy keys can now be disabled by default by enterprise policy [GA]
versions:
ghec: '*'
ghes: '>= 3.16'
8 changes: 8 additions & 0 deletions src/ghes-releases/lib/enterprise-dates.json
Original file line number Diff line number Diff line change
Expand Up @@ -170,5 +170,13 @@
"3.18": {
"releaseDate": "2025-08-05",
"deprecationDate": "2026-08-26"
},
"3.19": {
"releaseDate": "2025-11-11",
"deprecationDate": "2026-12-02"
},
"3.20": {
"releaseDate": "2026-02-17",
"deprecationDate": "2027-03-10"
}
}
Loading