GitHub Enterprise administration resources
This post links to all the publicly-accessible GitHub content I’ve written, coded, or talked to.1 I’ve left GitHub. As this website is mostly things I’m learning and making repeatable (e.g., things built/learned from common customer conversations), expect less GitHub-focused content moving forward.2 I’d like to un-pin a lot of things here to make room for ✨ new adventures ✨ without leaving a huge chunk of traffic to this site reliant on searching or bookmarks.
- ⚡ Actions talks, writings, and projects
- 💼 Business stuff - chargebacks, license/cost management, the costs of builds
- 🔐 Security projects mostly related to Advanced Security features
- 👩💻 Administration general admin tools in the toolbox
- 📊 Diagrams random diagrams I’ve made and used
GitHub Actions
- Architecture guide to self-hosted GitHub Actions runners - when you absolutely, positively have to host it yourself, here’s some help!
- Threat modeling the GitHub Actions ecosystem - understand and secure the most critical part of your software supply chain - where you build and ship your code! (from BSides Boulder 2023)
- Securing self-hosted GitHub Actions with Kubernetes and actions-runner-controller - self-hosted GitHub Actions runners and Kubernetes are a natural fit - let’s put them together securely. (from CNCF CloudNativeSecurityCon 2023)
- Kubernoodles - my demo and reference architecture for using actions-runner-controller in the enterprise. I’ll likely still keep this up to date from time to time.
- Skilled teleportation - a GitHub Action to bundle up Actions on the marketplace to fling across an airgap and import into GitHub Enterprise Server.
- Runner reaper - a GitHub Action to remove unresponsive or offline self-hosted runners.
Business
- Chargeback (pass through) billing - know who’s using what within your Enterprise account.
- Cost of waiting on builds - the most underrated cost of continuous integration
- GitHub blog post
- Business-tagged posts, as I’ve revisited this several times now
- Don’t show me your intricate cost comparison spreadsheet - it’s never the right place to start a discussion.
Security
- GHAS to CSV exports your Dependabot, secret scanning, and code scanning results across a repository, all repositories in an organization, or everything in your enterprise. (now owned by GitHub’s field team)
- Enterprise security team is a set of scripts to create and manage a uniform team of people on all organizations in your enterprise that has the security manager role. (now owned by GitHub’s field team)
- CodeQL in container builds explains how to use CodeQL inside of a container with or without GitHub Actions.
- Dependabot on RedHat Enterprise Linux walks through setting up self-hosted Actions runners for GitHub Enterprise Server to automatically updating your dependencies with Dependabot.
- Don’t scan your code on every push to save build resources without compromising your application security posture.
- Stop using ITSM for application security - a (mostly tame) rant, with stories, about how using an ITSM system to manage application security alerts causes way more harm than good.
Administration
Part of all those years of experience is a ton of small scripts and other tidbits of reusable code. Most of these were parts of proof of concepts, designed to be added into other playbooks for a larger task.
- gh-org-admin-promote - a GitHub CLI extension to promote an enterprise administrator to organization owner for all organizations in the enterprise.
- get-ghes-reports.py - GitHub Enterprise Server has several reports available for enterprise admins. This script simply grabs the one you want programmatically and saves it to disk.
- ghes-ghas-licenses.py - Outputs a CSV file of who’s using your Advanced Security licenses, on what repo, and when they last pushed to each one. The number of licenses in use is the sum of unique users.3
-
ghes-suspend-all-dormants.py - Grabs the
dormant_users
report, then suspends all the users in it over the API. - git-history-report.sh - Outputs a CSV file of change sums to the main branch, whether or not it was a signed commit, and (optionally) outputs the diff of each commit to a file in an adjacent folder. Reproduces a “chain of custody” type of report.
- gitlog-to-csv - same as above, but as a GitHub Action.
- is-github-ip.py - checks if a given IP address presently belongs to GitHub.com using the API.
- lfs-export.py - GitHub Enterprise Server migrations don’t export (or import) LFS data. This iterates over all repositories in an organization to grab that and shove it into a directory to fling wherever it needs to go.
- search.py - Iterates through the search API on GHES en masse for a given string. Does not capture non-default branches, comments, commit messages, PR content, issues, discussions, etc., as best as I’m aware.
-
GHES SQL queries - ⚠️ danger zone ⚠️ Never run these against your appliance, instead use a backup restoration as outlined in the usage directions . Even then, there is NO guarantee of schema stability between versions of GHES. You can waste a lot of time here.
- audit queries return lists of credentials, their scope and age and owner, and more.
- metrics queries summarize usage metrics such as global language use, PR and issue activity, and more.
- security queries should be deprecated in favor of using something like ghas-to-csv to scrape the API instead. This API didn’t exist when I was creating these queries.
Diagrams
Typical deployment of GHES and supporting architecture with basic data segregation.
graph RL
A(fab:fa-github GitHub Enteprise Server<br>high availability pair) --> C{load balancer}
G(MinIO for Actions+Packages) --> A
H(Kubernetes cluster<br>for Actions) --> A
K(Artifact repository) <--> H
L(Deployment targets) <--> H
A --> Z{WAF, DPI}
B(fa:fa-hard-drive Backup utilities) --> A
C <-->|HTTPS, SSH| D(endpoints on VPN)
C <-->|HTTPS, SSH| E(private cloud)
C <-->|HTTPS, SSH| F(on-prem datacenter)
Z <-->|HTTPS only<br>ghes-fqdn/org-team-A| Y(CIDR block<br>for team A)
Z <-->|HTTPS only<br>ghes-fqdn/org-team-B| X(CIDR block<br>for team B)
Z <-->|HTTPS only<br>ghes-fqdn/org-team-C| W(CIDR block of external integration<br>needed by team C)
Z --> |HTTPS| I(fas:fa-cloud GitHub Connect<br>internet)
Disclosure
As it’s always been, all opinions here are my own and not any past, present, or future employer.
Footnotes
-
All that I’ve found, anyways … I may sort through all of my gists and such at some point too and add even more to this. 🙈 ↩
-
I’m now exploring software supply chain security - using GitHub is still a huge part of my professional life. Most learning happens on the job and for the first time in 9 years, directly leading or advising on GitHub as a software factory within a gigantic heavily-regulated enterprise isn’t part of that. I have lots of feelings about this, but probably won’t write about that anytime soon. Right now, I’m looking forward to diving headfirst into a new adventure. 🚀 ↩
-
Astute admins know this report exists already, but it’s buried in stafftools. There’s no way to download this file programmatically, so this uses the API to reconstruct it. Run gh-org-admin-promote first to get everything in the enterprise. ↩