Question: Is it possible to create tickets for a repo without granting read access to code?
If not, is the work around to create a repo just for tickets that everyone has access to? Is it even practical at this point?
Has anyone successfully pulled this off at their org?
Nice thinking.
> We create issues from a user form too!
This is where the money's at. I'm assuming this was done via Github API + Generated Token. I was thinking of something similar to this, however using a Slackbot.
To actually answer your question, you can have projects that span multiple repos, but you can't have repos that only have permissions for issues.
In my org, we have a few different repos for documentation + issues related to specific groups and utilize those repos heavily. We also have a couple code repos and anything specific to that codebase is stored there. We use zenhub though as well to help organize / track stuff.
Person might have been trustworthy when they were hired and they might change their mind at some point.
Even better - they still might be trustworthy but their computer got compromised and someone might be using them.
Maybe some other employee has problems with them and since they have access malicious employee can indicate trustworthy one in some way. Like posting copy of code somewhere online with nickname used by that one.
I know such things don’t happen often but even for mundane things like phone numbers you just don’t give phone number of your friend to a person you both know without asking that friend in first place.
There are very few use cases where I believe read only access to code from people in product, engineering or support should be restricted. Generally the net benefit is well worth the potential risk introduced.
If you are worried about people stealing source code, invest in a DLP or CASB solution. If you are worried about ransom, don’t allow changes without PRs, implement a backup program and harden your endpoints. Not allowing people to do things that helps them understand the systems they work with is a recipe for shadow IT and promotes organizational silos.
Team of 8 devs + other supporting roles. Devs are happy with it, PM and portfolio management not so much, as you loose a lot and GitHub projects is still fairly new.
Why did we do this? We were acquired and the new corporate has different ideas and we lost Jira. Project managers end up manually syncing status of epic tickets between GitHub and their project management tools. We make it work, but much more labour intensive the Jira+Jira Portfolio
Google seems to document everything in repo - which is brilliant since it can be reviewed, you can ask PR author to update doc and hence less likely to go out of sync.
Exactly.
There should be plenty of open source alternatives, and the times are really bad now to justify expenses like this.
