Running Notes document

[terrywbrady]

additional notes will be added as comments to this issue

1-17-2025
Tokens
Tokens are at a personal level, not an organization level (Enterprise might offer an org level token)
Classic Token; fine-grained still in preview - set it to never expire
limit what it can do, only do pulls, not pushes, have to go fine-grained.
Walked through the process of creating a token for the UC3 organization
As a regular user (not administrative user; i.e. owner in Github speak)
For repositories, did content and for oreganization did a list of members
Terry then shared his screen to see what it looks like in UC3 organization
cfthompson - isn't an owner in UC3 org so
git credentials file - don't have to type in credentials used over HTTPS (classic tokens are ghp)
can use a token as a password which is a feature in git
recommend people use fine-grained tokens (referred to as *_PAT)
Classic ones are still being used for pushing/pulling/creating tokens since fine-grained aren't understood. Fine grained are used for automation
Colin has a page in confluence with token information that he has created IAS Github Tokens
ssh keys are discouraged due to lack of expiration;; no rotation
https://github.blog/security/application-security/improving-git-protocol-security-github/
Authentication:
autheticate to github and then use Github to authenticate/access areas of Github
could use better understanding/explanation of this

12-20-24 Meeting Notes

• Marisa to Define categories of work (onboarding, best practices). Break out into groups for different work areas (appetizer vs 2-pizza team)
• Billing & Administration
• Onboarding
• Development Practices
• Roles and Access for individuals vs teams

Terry suggested we all talk thought how we all use Github

We took a step back to get Chad caught up and shared more context about what we are trying to accomplish with this group.
Terry had a nice framing of what we can do in Github even though we don't have an Enterprise account.
Chad will be onboarding a new developer so can work on the onboarding piece.

• invite IAS to our meetings on the new year

Github Accounts

• Administrative accounts; we need a shared account to allow for more than one person to have administrative access to manage the Github organization

Lam
Sharing - add collaborators (read access) to a repository

• Charlie suggested using a jist

[marisastrong]

1-31-2025

• Reviewed Terry’s updates to the README file on tokens, etc
  • Classic token - old token
  • fine grained tokens no longer require an expiration date!
  • “Behaviors” github actions such as list repositories
  • everyone feel free to review/add as necessary
• Document how to onboard a new developer #3 - Chad will include onboarding to README
• Discussed static analysis code security tool
  • AWS QDeveloper - plan was to use CodeGuru Security -
  • Github solution is CodeQL - advanced security which requires Enterprise license
  • suggest all dev teams using staff time to replicate that kind of work, log that and see how many hours we spend time on this
  • Static analysis on CloudFormation, Ruby and Python - if CodeQL does this for us then this would be worth it.
  • Currently we use Trivvy and Inspector to check for vulnerabilities
• Communications to Github Users #1
  • TechX - Github Show&Tell suggested
  • Determine if Feb or Mar will work for presenters

[dmstretton]

2-28-2025

• Thanks for the GitHub show and tell at last week's Tech X
• Additional demonstration about how Colin handles meeting notes and recurring issues

Enterprise

• Marisa met with Southern Methodist Univ about GitHub Campus Program
• Could be cloud or self-hosting, thinking we would want cloud
• Also, do we use SSO and allow personal accounts, or only UCOP accounts if we do this
• https://docs.github.com/en/enterprise-cloud@latest/admin has good documentation on to decide if Enterprise is right for you.
• What if GCP/Enterprise-for-free went away or started charging a significant amount of money
  • SMU has been on Github Campus Program for 5 years
• Concerns of hesitations about going for Campus plan?
  • feeling positive
  • will be some administrative overhead, more features to manage and understand
  • we would have to submit a ticket to bring in multiple organizations under one enterprise instance
  • do we need all of our code to reside in a certain space? compliance issues? if so we would need to use SSO
  • Charlie's ticket for sharing code with outside collaborators - might be good to know before going to Enterprise. Current sharing and collaborators is limited
  • Advanced Security
  • manage users (SSO) restricts you so may want to stick with personal accounts
  • Create a presentation about the pros and cons of going to this to get buy in before going forward?
  • Marisa will start putting together that document - present at the tech council and get input from IAS about advanced features before presenting to tech council