How do you manage access permissions for collaborators on a GitHub repo?

Question

Anubhav Sharma · Answer

On GitHub, access permissions are managed through repository roles, teams, branch protections, and organization settings. The right setup depends on whether the repo is personal or inside an organization.

Repository Roles

GitHub provides different permission levels:

Role	Typical Use	Key Permissions
Read	View-only collaborators	Clone, open issues
Triage	Support/community contributors	Manage issues/PRs without code write access
Write	Regular developers	Push branches, create PRs
Maintain	Project maintainers	Manage settings except sensitive admin actions
Admin	Repo owners/leads	Full control including deleting repo and managing access

GitHub’s official permission matrix:
Repository roles documentation

Best Practice Setup

1. Use Organizations Instead of Personal Repos

For teams, create an organization rather than sharing a personal repository.

Benefits:

Team-based access control
SSO support
Centralized billing/auditing
Easier onboarding/offboarding

Organization docs:
GitHub Organizations

2. Assign Access Through Teams

Instead of adding people individually:

Create teams like:
- Backend
- Frontend
- DevOps
- Contractors
Grant repo permissions to teams
Add/remove users from teams
This scales much better.

Team management docs:
Managing teams in organizations

Branch Protection Rules

Critical for preventing accidental or unsafe changes.

Recommended protections on main / production:

Require pull requests before merge
Require approvals (e.g. 1–2 reviewers)
Require status checks (CI passing)
Block force pushes
Restrict direct pushes
Require signed commits (optional)

Branch protection docs:
Branch protection rules

Typical Permission Strategy

A common setup looks like:

Team	Permission
Developers	Write
Tech leads	Maintain
DevOps/platform	Admin
QA/support	Triage
Contractors	Read or limited Write

Avoid giving Admin broadly.

External Collaborators

For freelancers/vendors:

Prefer temporary team membership
Limit to specific repos
Use least privilege access
Set reminders for removal

GitHub docs:
Managing outside collaborators

Security Recommendations

Enable:

Two-factor authentication (2FA)
Dependabot alerts
Secret scanning
CODEOWNERS review rules

Security features:
GitHub security features overview

Use CODEOWNERS

Automatically request reviews from responsible teams.

Example:

# Backend
/backend/ @org/backend-team

# Infrastructure
/terraform/ @org/devops-team

Docs:
About CODEOWNERS

Managing Access via UI

Personal Repository
- Repo → Settings → Collaborators
Organization Repository
- Organization → Teams → Repository Access

Managing via GitHub CLI

Install:
GitHub CLI

Add collaborator:

gh repo add-collaborator OWNER/REPO --user username --permission write

List collaborators:

gh api repos/OWNER/REPO/collaborators

Enterprise-Level Controls

For larger companies:

SAML SSO
SCIM provisioning
Audit logs
IP allow lists
Fine-grained PATs
GitHub Apps instead of classic tokens

Enterprise docs:
GitHub Enterprise Cloud docs

Recommended Workflow

Put repos inside an organization
Create teams by function
Grant least privilege needed
Protect main branches
Require PR reviews + CI
Audit access regularly
Remove stale collaborators quickly
Prefer GitHub Apps over personal access tokens

forum

How do you manage access permissions for collaborators on a GitHub repo?

Can you answer this question?

1 Answers

Repository Roles

Best Practice Setup

1. Use Organizations Instead of Personal Repos

2. Assign Access Through Teams

Branch Protection Rules

Typical Permission Strategy

External Collaborators

Security Recommendations

Enable:

Use CODEOWNERS

Managing Access via UI

Managing via GitHub CLI

Enterprise-Level Controls

Recommended Workflow