Key Features β’ Usage β’ Developing β’ Background β’ MIT License
This is a Next.js project with an accompanying GitHub App that allows you to contribute to an upstream project using a private repository in your own organization. This is useful for organizations that want to keep their code private and perform their own checks before making any code changes public.
Important
π£ EMU support is now available! Check out the hosting - GHEC section for more information.
This app is still a work in progress and is not considered stable just yet. We still recommend trying out the app because we'd love to hear from you!
Enterprises struggle with how to let their developers contribute to open source projects. Most are not opposed, in principle, to contributing back to the projects they rely upon. Many are enthusiastic about becoming better open source citizens, and understand the reputational and technical benefits that working in open source can accrue to the business. However, real and perceived security concerns make this process difficult at best and impossible at worst for companies.
To succeed, open source advocates and OSPOs need to address their stakeholders' concerns about:
- Credential leaks
- Intellectual property leaks
- PII / PHI disclosure
- Liability and/or reputational damage resulting from bad code
Solving these concerns creates opportunities for enterprise development teams to participate more deeply in open source and foster a collaborative relationship with the open source community.
Internal Contribution Forks (ICF) is a GitHub app paired with a UI that manages the lifecycle of private mirrors, as well as the synchronization of code between the public fork of an upstream project and the private mirrors where the enterprise teams are working.
- Piggybacks off native GitHub fork network functionality to allow you to contribute to an upstream project using a private repository in your own organization
- No commit rewriting β keep commit history, author attributions, commit signing and other metadata intact
- No datastore β no need to worry about storing your code on a third-party server
- Reduces risk of making open source contributions to upstream projects because your work stays private until it passes approval
- Adapt the app to your workflow to ensure approvals, checks, and other requirements are met before code is merged upstream
- Works with GitHub Enterprise Managed Users (EMUs) and GitHub Enterprise Cloud (GHEC)
High Level Flow:
%%{init: { 'logLevel': 'debug', 'gitGraph': {'showBranches': true, 'showCommitLabel':false,'mainBranchName': 'Upstream'}} }%%
gitGraph
commit id:"init"
branch "Public Fork"
commit id:"pub0"
branch "Private Fork"
commit id:"pri1"
commit id:"pri2"
commit id:"pri3"
checkout "Public Fork"
merge "Private Fork"
checkout "Upstream"
commit id:"up1"
commit id:"up2"
merge "Public Fork"
commit id:"up3"
The app uses an intermediary public fork to merge the private mirror into, and then enables the normal OSS contributor workflow into the upstream repository. This allows users to keep the private repo private while still allowing us to contribute to the upstream repository. Check out this application flow diagram for a more detailed look at how the app works.
You'll need to self-host the app. See the section on Developing for more information.
This app was created with the idea of self-hosting in mind and can be deployed to any hosting provider that supports Next.js/Docker.
Configuration is contained in a .env file which you'll need to customize for your environment. Use the .env.example in the root of this repository as a starting point. In particular, you'll need to set the following:
PUBLIC_ORGandPRIVATE_ORGenvironment variables if you want to keep your private mirrors in a different GitHub organization from the public forksALLOWED_HANDLESvariable to a comma-separated list of GitHub user handles which ought to be allowed to access the app to create mirrors. If unset, all users who are members of the organization will be allowed to use the app.
docker build -t internal-contribution-forks .
docker run --env-file=.env -p 3000:3000 internal-contribution-forks
# alternatively, you can use docker compose
docker compose upWe recommend using Node 20.x or higher, though any Node LTS version >18 should work.
Once it's running, you'll need to create a GitHub App and configure it to point to your deployment. See the Developing β GitHub App section for more information.
The app can be integrated into GitHub Enterprise Cloud (GHEC) by following the same steps as GitHub.com. The app is designed to work with GHEC and GitHub Enterprise Managed Users (EMUs).
The only tradeoff is that a single app instance will only work between a single GitHub instance and a single GHEC instance. If you have multiple GitHub instances and GHEC instances, you will need to deploy multiple instances of the app.
To enable the app to work with GHEC, you will need to set the following environment variables in addition to installing the App on your GHEC organization instance.
PUBLIC_ORG=name-of-your-public-org # Where your public forks will be created
PRIVATE_ORG=name-of-your-ghec-org # Where your private mirrors will be createdThe authentication of the UI will still need to be a user's github.com user, but the app will be able to create forks and mirrors in the GHEC instance.
Once the app is installed, follow this document on Using the ICF App to get the repository fork and mirrors set up for work.
Create a new .env file from the .env.example file
cp .env.example .env- Create a new GitHub App here
- There's an App manifest in the repo that lays out all the permissions and webhook events needed and can be found here.
- Copy all the secrets, credentials, and IDs into the
.envfile
This is a webapp built with Next.js. You can find the Next.js documentation here.
npm inpm run devYou should be up and running on http://localhost:3000!
Webhooks are an important part of this application, they listen for events that happen to your organization and trigger the app to do things like create branch protections or sync code between forks.
We have our own webhook proxy that you can use to test webhooks locally. You will need to set PUBLIC_ORG (and PRIVATE_ORG if you want to test with a different organization) in your .env file to your GitHub organization name.
We recommend that you have a dedicated GitHub organization for your contributions. This will allow you to keep your contributions separate from your organization's daily operations.
We have added support for GitHub Enterprise Managed Users (EMUs) and GitHub Enterprise Cloud (GHEC) in the app. If you are using GitHub Enterprise, you will need to make sure that the app is installed on your GitHub Enterprise instance.
Permissions:
- The GitHub App must be installed on the organization(s) you plan on contributing from
- Currently, any member of the organization can access the app and create additional private mirror repositories
This project is licensed under the terms of the MIT open source license. Please refer to MIT for the full terms.
Check out the CODEOWNERS file to see who to contact for code changes.
If you need support using this project or have questions about it, please open an issue in this repository and we'd be happy to help. Requests made directly to GitHub staff or the support team will be redirected here to open an issue. GitHub SLA's and support/services contracts do not apply to this repository.
Looking for more resources for your open source program office (OSPO)? Check out the github-ospo repo for a variety of tools designed to support your needs.