Indent for GitHub: Temporary Code Permissions

a year ago
Written by
Indent
@indent

Once a GitHub repo crosses a few hundred stars and dozens of contributors, it’s hard to know each contributor and what kind of access they need to the project.

The larger the community, the bigger the problems:

“In the world of open source, getting GitHub permissions right can be really tricky. In the Next.js community we have a variety of contributors: core maintainers, Vercel employees, regular external contributors, and developers using Next.js who might just give feedback or submit a PR every once in a while. The complexity adds up pretty fast.”

Tim Neutkens
Engineering Manager / Project Lead, Next.js

For external and one-time contributors, they can open pull requests from their own branch and use the Contributor License Agreement Assistant to take care of any legal requirements.

What about contributors working on this full-time? Should they have Write or Admin permissions on the repo so they can make fixes without getting blocked? What about branch protection rules?

With the Admin permission, they can:

  • Delete any issue or pull request in the repo
  • Bypass branch or deployment protection rules
  • Make a public repo private (or private repo public)
  • Delete or transfer the repo out of the organization
  • Manage repository access, including adding/removing other Admins

From a security best practices standpoint, contributors should only get permissions for the period of time they actively need them.

When access is handled in this least-privilege model, it protects the project from being compromised by malicious actors and also from unintentional updates. Project leads are busy though. They don’t have time to manually update contributor permissions all the time.

Announcing Indent for GitHub

Today we’re excited to announce Indent’s native GitHub integration for managing on-demand codebase permissions using GitHub Teams.

Using Indent for GitHub, you can:

  • Grant temporary admin or branch rule bypass privileges
  • Request team membership via Slack (using /access command)
  • Approve requests and set durations from Slack, web, or email
  • Log who had which permissions, for how long, and why
  • Auto-expire permissions and revoke team membership but provide fast turnaround for access renewal

This allows every project to increase their security by:

  • Automating access workflows that enforce security best practices
  • Documenting changes with an audit trail for security and compliance
  • Eliminating standing privileged access for contributors, reducing potential breach risk

Indent’s free tier makes it easy for open-source projects and teams to secure their codebase. Here's what an access request looks like:

You can install it today from the GitHub Marketplace. If you have any questions about setting up access control, feel free to reach out!

Next.js, the Secure Frontend Framework

The Next.js project, run by Vercel, has over 2,700 contributors across the world and a core team of 20 who work on it full-time. This is the workflow for an example contributor to their project.

Engie Engineer is a (hypothetical) member of the Next.js team and needs to approve a PR that’s currently blocked by a branch protection rule tripping over a known-to-be flaky test.

They open Slack and enter /access and request membership of the @vercel/nextjs-bypass team, citing the PR they are going to review as the reason and requesting access for the next hour.

Engie’s request gets routed according to the project’s policies to Tim, the project lead. Tim is on a train with a spotty connection when they receive the Slack notification from Indent.

Thankfully, Tim can approve and grant access directly from the notification in Slack from his phone. Engie is notified and able to bypass the branch protection rule for the next hour.

At the one hour mark, Indent automatically removes Engie from the GitHub team. All the access and approval events get logged in a queryable way for security and compliance to review later.

“Using on-demand codebase permissions gives us the greatest amount of security and flexibility as a project, so when people need elevated access, we’re able to give them what they need, quickly and revoke automatically.”

Tim Neutkens
Engineering Manager / Project Lead, Next.js

Getting Started

Ready to start granting access like the Next.js project? Here’s what you’ll need to do to get on-demand access set-up.

  1. Create GitHub Teams
    • First you’ll need to create GitHub Teams that correspond to different types of contributor roles. Some examples include managing issues, creating branches, approving PRs as CODEOWNER, etc.
  2. Create an Indent Account
    • Next you’ll need to create an Indent account. We’re big advocates for open source and think good security should always be accessible.
    • Indent is free forever for open-source projects. There’s a free tier and 30 day trial for other organizations.
  3. Install Indent for GitHub
    • During set up you’ll connect Indent with your messaging tools like Slack.
    • At this point can also start connecting Indent to your other tools, including GitHub. Once you’ve connected GitHub you’ll need to create a resource for each GitHub Team and assign one or more reviewers.

Indent can also help manage access to your production infrastructure like AWS, GCP, or Azure. Many teams also choose to set up on-call auto approvals with our PagerDuty, Opsgenie, and Incident.io integrations.

Want to see a demo first or have a guided onboarding? Our team is happy to help and you can sign up for a demo.

Frequently Asked Questions

How long does this take to set up?

Less than 10 minutes.

Who can set this up and what are the prerequisites?

You must have admin level permissions for both your organization’s GitHub and Slack accounts.

What if we don't use GitHub Teams for access today? Is there another way to use Indent?

While we generally recommend using role-based access control (like GitHub Teams), Indent for GitHub will soon let you request and grant access to specific repositories. Sign up to be notified when that’s released, by filling out this form.

Starting Granting On-Demand GitHub Access

Indent allows you to grant temporary, right sized contributor access using GitHub teams, without slowing your project down.

It’s free and fast to get started!

Ready to get started? Set up Indent or install on GitHub Marketplace

Want to learn more? Check out the Indent docs

Need additional help? Talk to our team

Try Indent for free.