The GitHub Team Management System is an "Issue Ops" solution that enables teams to manage GitHub team structures, memberships, and repository permissions through GitHub issues. This documentation provides information about the workflows, and user guides.
Teams are organized hierarchically:
- Parent Team: The main team (e.g.,
a-team) - Child Teams: Specialized sub-teams with specific permissions:
[team-name]-developers: Write access to repositories[team-name]-testers: Triage access to repositories[team-name]-reviewers: Write access to repositories[team-name]-release-managers: Maintain access to repositories[team-name]-operations: Maintain access to repositories[team-name]-security: Admin access to repositories[team-name]-project-owners: Admin access to repositories
- Create a new issue using the "Team Management" template
- Set the Action to
create - Enter the Team Name (without spaces, using kebab-case)
- Specify the Project Name
- Provide a meaningful Team Description
- Add Members (optional) using the format:
- @username (developers, testers) - @another-user (all) - Add Repositories (optional):
- repository-name - another-repo - Define Child Teams (optional) using the format:
For example:
- child-team:Description:permission- developers:Development team:write
- Create a new issue using the "Team Management" template
- Set the Action to
update - Enter the Team Name (must be an existing team)
- Add new members or repositories using the same format as creation
- Add or update child teams as needed
- Create a new issue using the "Team Management" template
- Set the Action to
remove - Enter the Team Name (must be an existing team)
- List members or repositories to remove using the same format
- List child teams to remove
graph TD
A[Start] --> B{Choose Action}
B -->|Create| C1[Fill required fields]
C1 --> D1[Enter team name]
D1 --> E1[Enter project name]
E1 --> F1[Enter team description]
F1 --> G1[Add members & repos]
G1 --> H[Submit issue]
B -->|Update| C2[Fill required fields]
C2 --> D2[Enter existing team name]
D2 --> G2[Add/modify members & repos]
G2 --> H
B -->|Remove| C3[Fill required fields]
C3 --> D3[Enter existing team name]
D3 --> G3[List members/repos to remove]
G3 --> H
H --> I[GitHub Actions runs]
I --> J[Python script processes issue]
J --> K[Team config updated/created]
K --> L[GitHub teams synced]
L --> M[Issue commented with results]
M --> N[End]
GitHub repository permissions map to the following access levels:
| Configuration Value | GitHub API Value | Access Level |
|---|---|---|
| read | pull | Read-only access |
| write | push | Read/write access |
| triage | triage | Read and triage issues/PRs |
| maintain | maintain | Read/write plus some admin |
| admin | admin | Full administrator access |
You can assign members to specific child teams using the following format:
- @username (team1, team2, ...)
Special keywords:
all- Adds the member to all child teamsdevelopers- Adds to the developers teamreviewers- Adds to the code reviewers teamtesters- Adds to the testers teamoperations- Adds to the operations teamsecurity- Adds to the security teamrelease-managers- Adds to the release managers teamproject-owners- Adds to the project owners team
flowchart TD
A[process_team_issue.py] --> B[Parse issue body]
B --> C[Validate input data]
C --> D{What action?}
D -->|create| E[Create team config]
D -->|update| F[Update team config]
D -->|remove| G[Remove items from config]
E --> H[Save team config]
F --> H
G --> H
H --> I[Comment on issue]
I --> J[Trigger sync workflow]
J --> K[sync_github_teams.py]
K --> L[Load team configs]
L --> M[Create/update GitHub teams]
M --> N[Sync team members]
N --> O[Set repo permissions]
Problem: When adding a member, you receive a message that the user doesn't exist in the organization. Solution:
- Verify the username is spelled correctly
- Ensure the user is a member of the organization
- Check if the user needs to be invited to the organization first
Problem: When adding a repository, you receive a message that the repository doesn't exist. Solution:
- Check the repository name spelling
- Verify the repository exists in the organization
- Ensure the repository name doesn't include the organization prefix
Problem: An invalid permission is specified for a child team. Solution:
- Use only these valid permissions: read, write, triage, maintain, admin
- When in doubt, use "read" as the default permission
Problem: The GitHub Actions workflow failed to process the issue. Solution:
- Check the workflow run logs for specific errors
- Verify all required fields are filled in correctly
- Ensure the issue has the "team-management" label
- Use descriptive team names that clearly indicate their purpose
- Keep team hierarchies simple to avoid confusion
- Document team purposes in the description field
- Review team memberships regularly and remove inactive members
- Use the least privilege principle when assigning permissions
- Test with non-critical repositories before adding important ones
- Create separate issues for different teams rather than combining multiple teams in one issue
- Check issue comments for validation errors and warnings
If you need to manage multiple teams, create separate issues for each team. This helps keep the change history clear and makes it easier to track issues.
The system automatically synchronizes team configurations to GitHub after changes are committed. If you need to trigger synchronization manually, you can:
- Go to the "Actions" tab in the repository
- Select the "Sync GitHub Teams" workflow
- Click "Run workflow"
- Optionally specify a team name to sync only that team
Team configurations are stored in YAML files at:
teams/<team-name>/teams.yml
You can view these files to see the current team structure, membership, and permissions.
This documentation should help users understand and effectively use the GitHub Team Management system. If you encounter any issues not covered here, please create an issue in the repository for assistance.