GitHub
This page is about GitHub organizations that are administered by MoCo IT, the largest being the "mozilla" organization on GitHub. There are several other GitHub organizations you may be interested in, cf. the incomplete list below.
Do you have a GitHub administration question for an org? See table for contact info for each organization. |
---|
Contents
- 1 News
- 2 Quick Access for Requests
- 3 Recommendations and FAQ
- 3.1 SAML or SSO questions
- 3.2 Do you have any recommendations for repository settings?
- 3.3 Where should I ask additional questions?
- 3.4 How do I hook up a new GitHub Actions or 3rd party application to a repository in the mozilla org?
- 3.5 Reviewing owners and permissions
- 3.6 Can I be an Owner of the Mozilla Organization?
- 3.7 Can I be a Member of the Mozilla Organization?
- 3.8 Should I make a separate GitHub organization or just create a repository in an existing one?
- 3.9 Forking vs Transferring
- 3.10 Do I need to be an owner to create repositories?
- 3.11 We have sensitive code or data in this repository - any extra steps I should take?
- 3.12 We're done with this project - what should we do with the repository?
- 3.13 Are there requirements for when or how I should create a new team?
- 3.14 Is "mozilla" the only GitHub "organization" related to Mozilla?
- 3.15 Are there other unofficial or Mozilla-related repositories hosted on GitHub?
News
- 2024-06-21 - new guidance on Securing GitHub Workflows & Actions
- 2021-01-21 - Converting to a "2FA required policy" for an organization/
- 2021-01-19 - Notes on renaming the default branch of your GitHub repositories.
- 2019-02-19 - Mozilla's Code of Conduct is required to be included in every repository, following this procedure.
- 2018-03-29 - new Guidelines for securing sensitive repositories published. These are good practices for any repository that does "releases", and some groups my require adherence on their repositories.
Quick Access for Requests
I need to be a member of an org
Please read this section on being a member, noting that for many operations you don't need member status. If you need it, file a bug here filling out the fields as best you can. Having your manager or maintainer of the team file the bug may short circuit some of the approval processes, and make things go faster.
I want a new action/app added to an org
Please read these sections on Actions and Apps - file a bug here, giving us as much information as you can
I need a private repo created
Being an open source company, Mozilla tries to do things in the open. However, the need for private repositories is clear for various non-public data and other business reasons, and in order to track them, please request private repositories using this template.
Be sure to answer all questions marked 'REQUIRED' in the form. As well as the ORGNAME in the title. This lets us know what the repo is for, who needs access, all so that we don't lose track of the private repo
I want to have repo(s) archived
Archiving a repo sets the repository to read only, and allows it to be excluded easily from searches. It also marks it as unused and removes it from consideration for bug bounties.
GitHub recommends closing all issues and PRs as part of the closure.
While any admin can archive the repository, we have scripting for doing the closures, and doing so reversibly. (Also helpful if there's many repos needing attention). If you would like us to archive some repos, please file a bug using this template.
I want to transfer a repo
If this is a transfer into a Mozilla controlled org, and you're a member, and the repo is in your account, you can transfer it yourself. This CAN mess up permissions to the repo, but filing a bug with the repo name and who should have access will let us help.
If this is a transfer between Mozilla orgs, you'll need to file a bug with the details, and we're happy to do it.
If this is a transfer out of Mozilla controlled orgs, we'll need to get various approvals, but filing a bug will get this started.
For all of the above, the proper link to file a bug is here
Other requests
Note that if the org isn't controlled by MoCo IT, we may only be able to redirect you to whatever resources we're aware of per this chart.
Things like "I need access to a Repo" - generally this is handled by repo admins, but if you need more, or help finding an admin, file a bug here with questions
And general requests for help/advice - bugs to the GitHub Administration component are the most reliable, but there's a matrix channel: #github-admin, and email to ghe-admins @ mozilla . com
Recommendations and FAQ
The actions below are specifically for the 'mozilla' organization on GitHub. Other organizations may have different or additional procedure. Please refer to the other organizations table below for the proper service request address and contact information.
SAML or SSO questions
As we move into GitHub Enterprise, we're not changing permissions, but we are requiring people to use people.mozilla.org to authenticate into Mozilla operated spaces. Signing up in people.m.o is automatic if you're an employee, but if you're a contributor, you can create an account using a Firefox account. Directions and a FAQ around SAML are here
Getting asked to SAML in every day
Sadly this is unavoidable with the stack of tech we have - we're continuing to evaluate options to see if there's any path to allowing longer SAML sessions. But at this point we're limited to 24 hours.
Needing to SAML in to see even public things
This is a known bug on GitHub's part - their documentation (at the time of this writing) says that only private or org things need to SAML in - but the behavior is that access to ANY org resource requires a valid SAML session.
Do you have any recommendations for repository settings?
Yes, please see https://wiki.mozilla.org/GitHub/GitHubRepositoryConfigurationConventions.
Where should I ask additional questions?
- Please use the contact list to find the best address.
- If the issue relates to the Mozilla org, then you can send an email to github-owners mozilla.org and one of the volunteers will respond.
- For other orgs, the volunteers in the #github-admin room on Matrix may be able to point you in the correct direction.
How do I hook up a new GitHub Actions or 3rd party application to a repository in the mozilla org?
Note: There are now multiple 3rd party application types. "GitHub Apps" (nee integrations) are the new approach and preferred.
Note: Some 3rd party apps use GitHub as an OAuth identity provider for their website (e.g. for a dashboard). An OAuth Application will block the installation process if the app is not already approved. The "Request access" block is what this section describes.
Each type has it's own installation and approval process. Please follow the instructions in the correct section below.
GitHub Actions
Note: See Securing GitHub Workflows & Actions for usage guidance
GitHub Actions allow automation to be initiated by various repository events. GitHub Actions are now available for all public repositories. Each organization makes a decision on whether or not they should be enabled. Check with your organization owners if you have questions.
Note: GitHub Actions have not yet been fully evaluated for use on "sensitive repositories". The current guidance is to only use actions authored by GitHub or your development team. Please work with your security team if you wish to utilize non-GitHub-authored GitHub Actions on a sensitive repository.
To request a non-GitHub-authored action to be used in the "mozilla" organization, follow the procedure for requesting approval for a new GitHub App, immediately below.
A list of previously examined actions (and their approval/caveat status) can be found here (Accessible to any member of the Mozilla GitHub Enterprise)
GitHub Apps Installation & Approval Process
GitHub Apps (formerly called "integrations") are "Installed" into either the entire organization, or into individual repositories. Each integration has a documented and granular access to repository resources. This is good.
A list of previously examined apps (and their approval/caveat status) can be found here (Accessible to any member of the Mozilla GitHub Enterprise)
However, the GitHub App installation can only be done by an organization owner, who may have to do additional housekeeping. This is not so good, so please plan accordingly (you may need to coordinate with GitHub owners).
- File a request using this template
- Include answers to the questions prompted for in the above template. Additional notes:
- Which repositories do you want to have access? (all or list) -- "All" will rarely be granted - every repository should have control over anything that can access their repository.
- Are any of those repositories private? -- In general, OAuth apps will not be granted access to private repositories, as that grants access to all private repositories.
- Provide link to vendor's description of permissions needed and why -- Hopefully they have this documented, or at least provide a screenshot of the authorization screen which lists the permissions. If not, we may ask you (the requestor) to engage with the app's support team to obtain the answers.
- Provide the Install link for a GitHub app -- mandatory, as we can't install the app without it.
- If you are not an "admin" for the repository, an "admin" will have to approve the request. Please set a "Need Info" on the appropriate repository admin.
Initial Installation
If this is the first time this GitHub App is being installed in the organization, a few extra checks and coordination are needed. An organization owner will need to perform these steps:
- Determine if the GitHub App previously had an OAUTH version in use in the same org. (The simplest way is to see if the app is listed under the "Third-party Application" section of the organization settings page. Any mention -- including "declined" -- counts as "in use" for this purpose.)
- If the OAuth app was in use, check the app installation documentation to see if there are any caveats. (We've only seen one app transition where there was an impact, but better safe than sorry.)
- If there are caveats that apply, ask the requestor to contact all current repositories using the classic OAUTH application to coordinate, cc'ing GitHub owners. This task is non-trivial, you usually need to access the OAuth app's dashboard, and have knowledge of how the app works. (Do NOT authenticate to any OAuth app with your owner account.)
- Install the GitHub app for "specific repositories", and enable the ones in the request.
Please do not install GitHub apps with organization wide scope without first discussing with GitHub owners.
Additional Installations or Removals
If the GitHub App has already been installed in the organization, the new repository simply needs to be added or removed from the list. An organization owner has to make this change. Please still file a bug. As before, a repository admin has to approve the request.
If you're an org owner, you can see what has already been installed.
OAUTH (classic) Applications
- Authorizing an application to work with GitHub utilizes the permissions your account has -- so, any repositories you have access to the application will have access to as well (including private ones). If you want to grant access to an application that no one else has used with the Mozilla organization yet you'll see a "Request access" button during the set up flow. You'll need to click that button to request approval. See below for an example:
- In some cases, the application does not need to be "approved" to function correctly, as it has read only access to any public repository. (Some applications only want write access to help you configure the application first time.)
- In other cases, the application does need write permission, and/or permission to read a private repository. In these cases, open a bug using this template.
- Please be sure to have clicked the "Request Approval" link before submitting bug.
- Include answers to these questions:
- Provide link to vendor's description of permissions needed and why
- Provide installation instructions (both may be needed):
Reviewing owners and permissions
As an owner or repository admin you're responsible for maintaining the list of people with access to your projects. Please be active and prudent about maintaining this list.
Can I be an Owner of the Mozilla Organization?
The Owners group on GitHub has complete administrative power and will be limited to a minimal number of people and reviewed regularly. If a person is an owner, they are expected to actively participate in the group and assist others as requested. Owners will be added as a need arises (for example, support in another timezone) as determined by the current owners.
Can I be a Member of the Mozilla Organization?
No one automatically becomes a member of any of our GitHub Organizations, even staff. We require everyone to be "sponsored" for membership by being invited to a specific team, as outlined below.
Note:Good news! You do not need to be a member of the Mozilla organization on GitHub before you can contribute to Mozilla!!!! We have several sites which can help you find the best fit for contribution:
- General volunteering options,
- Or jump right into fixing a bug.
- If you're already a contributor (THANK YOU!) looking for a place to have your work recognized (even if not coding related), please see the Credits FAQ for inclusion in the credits.
Once you're working on a project, the project leaders and/or team maintainers can help you get access to anything you need. Instructions for them are directly following.
Team Maintainers & Project Leads
Project owners and team maintainers may find the following information helpful when asking for access for a new team member (staff or community):
- We require the use of GitHub teams when initially granting permissions to org members. (Collaborators have to be added individually.)
- All members of the Mozilla organization on GitHub agree to be bound by Mozilla's Commit Access Requirements, and should follow the intent of the Mozilla's Commit Access Policy as much as practical. Of course, anyone interacting with Mozilla repositories agrees to Mozilla Community Participation Guidelines
- "Outside Collaborator": repository admins can grant outside collaborator access to any GitHub login on a per repository basis. "Outside Collaborator" is roughly analogous to "Level 1a" access to Mozilla-hosted repositories.
- "Team Member": team maintainers can add GitHub users to a team, if they are already a member of the organization. If they are not yet a member of the organization, the team maintainer should file a bug using this link to add you to their team, as a form of vouching. "Team Member" is roughly analogous to "Level 2" or "Level 3", with the distinction being the content of the repositories managed by the team.
To get access for a new Contributor, please have the team maintainer or repository admin file a bug using the link in this section, and fill in the details.
Please Note:
- All organization members MUST have an entry on people.mozilla.org and MUST have their verified GitHub identity entered there.
- GitHub cancels any invitation which is not accepted within 2 weeks.
- All members and outside contributors of the Mozilla organization on GitHub MUST have 2FA enabled.
- Automation accounts are also required to have 2FA enabled. Scripts should use access tokens with minimum permissions to accomplish the task.
Should I make a separate GitHub organization or just create a repository in an existing one?
With much of Mozilla's GitHub presence in GitHub Enterprise at this point, if you want to create a organization, we'd love to hear from you about it via a bug here, requesting an org to be created and added to our enterprise. Noting that we already have >50 orgs, so we'd like to make sure you don't already fit into one of the existing spaces.
If the org isn't to be related to Mozilla's Enterprise, then the original advice still applies: This is a personal preference, in general. (Some product lines may have policies about source code locations.) If you have a large enough project or organization feel free. We suggest you use the strategies and recommendations here as a model to manage the details. Additional resources on establishing an organization are:
- Mozilla Standards login required
- Guidelines for securing sensitive repositories
- If you need any paid services, contact GitHub owners for access to Billing Notes
Forking vs Transferring
Do not "fork" a repository into a Mozilla organization. Doing so gives every team in the org rights to it. There are a number of limitations to just pushing your repo's content into a new repo under mozilla (you loose all GitHub metadata). Refer to GitHub's docs for details.
If you have created a repo on your own account (for example, myuser/myrepo) and it should live under the Mozilla organization, here are the steps:
- If you're not a member of any team, talk to an org admin.
- Under the repo admin, transfer ownership to the Mozilla organization. If you don't see this option, return to step 1.
- Choose which teams should be given access. All chosen teams will have only 'read' access at this point.
- File a bug to grant admin permissions to a team or yourself. Note: As soon as you transfer, your repository will be in "limbo" (only you will have write access) due to a GitHub "feature" (see docs). Make arrangements in advance to have an owner available to process the bug.
- Fork the repo from Mozilla (mozilla/myrepo) back to your account (recreating myuser/myrepo). While the transferred repo becomes the root of the network on GitHub (e.g. all forks are now forks of mozilla/myrepo) other users may be pointing to your repo by URL. (Optional, GitHub will redirect old URLs for transfers, but you probably want a local repo if you use the PR workflow.)
Do I need to be an owner to create repositories?
Not in the 'mozilla' organization. If you are a member, you can create a repository. Other organizations may restrict repository creation. However, it's preferred that you create repositories in the context of a team. Teams are created here, if necessary. Once you have created a repo, you can configure it to give rights to members of particular teams.
Note: Remember that all repositories must comply with the GitHub/Repository Requirements.
As the creator, you will automatically have "admin" permissions on the repository. Repository Admins are responsible for the security settings of the repository. This includes approving (or not) requests for GitHub Apps to be added to the app.
Please review all the settings for your new repository, and disable features you will not be using. The default values can change, and new services added, so specific guidance can't be given. But do you really need that wiki? Or the project board? You can always enable them later if you decide you need them.
We have sensitive code or data in this repository - any extra steps I should take?
Yes. Even if your repository is private, there are steps you can take to ensure you know if something has changed. See the GitHub/Repository Security page for additional information and a checklist.
We're done with this project - what should we do with the repository?
That is really up to the team. However, if you have forks or other active user participation, it's a good idea to be clear about the status of Mozilla's commitment to the project. Your options include:
- Delete the repo (obviously the worst alternative).
- Add the Unmaintained badge to the readme
- Archive the repository, using GitHub's suggestions.
PLEASE make sure the repository is clearly licensed before leaving it. Without a license, many other folks can not build upon your work. In most Mozilla controlled GitHub organizations deletion is only an option for owners of the org - file a bug here, with any reasoning and we're happy to discuss.
Are there requirements for when or how I should create a new team?
No. When requirements were proposed they all seemed too rigid and time consuming. Instead we recommend staying flexible and using good naming and documentation for projects (similar to naming CSS classes or variables).
On large teams we recommend you separate teams for read/write and repository administration.
No, there are plenty of Mozilla-related "organizations" on GitHub. As a rule of thumb, initiatives that create a large number of sub-repositories will create their own "organization". Here is a (probably incomplete) list of them:
NOTE: All GitHub Organizations in this section are subject to the Repository Requirements.
NOTE: As Mozilla IT works to consolidate GitHub support in the Mozilla related organizations, it is often a good idea to file any bugs here, and if needed, we will work with you to relocate the request.
Organization | Description | Contact Owner | Service Requests |
---|---|---|---|
mozilla | Mozilla main organization | Matrix #github-admin:mozilla.org; Email github-owners mozilla.org | Please check above for a more specific link, otherwise use mozilla.org :: Github: Administration |
mozilla-it | Mozilla IT's repositories | Matrix #github-admin:mozilla.org; Email github-owners mozilla.org | Bug here. |
mozilla-sre-deploy | Mozilla SRE Deploy repos | Matrix #github-admin:mozilla.org; Email github-owners mozilla.org | Bug here. |
mozilla-ocho | Innovation and Experiments @ Mozilla | Matrix #github-admin:mozilla.org; Email github-owners mozilla.org | Bug here. |
mozilla-bteam | Bugzilla.Mozilla.org | #bteam | Bug here. |
mozilla-iam | Mozilla's identity and access management | dividehex | Bug here. |
mozilla-spidermonkey | Mozilla SpiderMonkey Team tools and embedding info | Ted Campbell (tcampbell); Matrix #spidermonkey:mozilla.org | Bug here. |
mozilla-svcops | Mozilla Cloud Services Ops - Archived | Daniel Thornton (relud) | Bug here. |
firefox-devtools | Firefox Developer Tools | ? | Bug here. |
iodide-project | Seamless scientific computing with web technologies. | ? | Bug here. |
moco-ghe-admin | Tools for MoCo IT to administer GHE | ghe-admins @ mozilla.com | Bug here. |
mozilla-conduit | Mozilla Conduit work | glob (glob) | Bug here. |
Mozilla-Frontend-Infra | Frontend Testing support | Mozilla Frontend Infra request | |
mozilla-lockbox | Mozilla Lockbox iOS, Android, desktop extension | mozilla-lockbox owners | |
mozilla-mobile | Mobile: Android Product Team & Firefox iOS teams | mozilla-mobile owners | |
MozillaReality | Mozilla Mixed Reality program | Erica Stanley (estanley) | Bug here. |
MozillaSecurity | Mozilla Platform Fuzzing Team master repo with many fuzzing tools under it. | ? | Bug here. |
MozMEAO | Mozilla Marketing | Paul McLanahan (pmac) | Bug here. |
mozilla-applied-ml | MAML - Mozilla Applied Machine Learning - Archived | ? | Bug here. |
mozilla-b2g | Mozilla Boot2Gecko / Firefox OS - archived | ? | Bug here. |
mozilla-metrics | Mozilla Metrics | ? | Bug here. |
mozilla-platform-ops | Mozilla Platform Operations | Platform_Operations | Bug here. |
mozilla-releng | Mozilla Release Engineering | #releng | Bug here. |
mozilla-services | Mozilla Services | mozilla-services owners | Bug here. |
Mozilla-TWQA | Mozilla Taiwan QA - Archived | ? | Bug here. |
MozillaWiki | MozillaWiki (wiki.mozilla.org) - Archived (see Mozilla/wiki.mozilla.org) | ? | Bug here. |
mozilla-l10n | Mozilla l10n-drivers team | Francesco Lodolo https://mozillians.org/u/flod/ | Bug here. |
taskcluster | TaskCluster Team | ? | Bug here. |
mozilla-conduit | Mozilla Conduit work | glob (glob) | Bug here. |
mozsearch | The code that runs Searchfox.org | Kartikaya Gupta (kats) | Bug here. |
MozillaDataScience | Ad-hoc analyses by data scientists. | Matrix: #data-science:mozilla.org | Bug here. |
mozilla-extensions | CI- and release-enabled privileged webextensions and system addons. | Slack: #addon-pipeline | Bug here. |
mozilla-rally | ION (former Pioneer) platform. | Slack: #ion | Bug here. |
mozillabrasil | Mozilla Brazil | ? | |
bugzilla | Bugzilla (the product, not bugzilla.mozilla.org) | #bugzilla | |
drumbeat-badge-sprint | Drumbeat Badge Lab | ? | |
hackasaurus | Hackasaurus | ? | |
jetpack-labs | Jetpack Labs - Archived | ? | Bug here. |
mdn | Mozilla Developer Network | John Whitlock | |
mozbrick | Mozilla Brick (web components library) | ? | |
mozilla-appmaker | Mozilla Appmaker | ? | |
mozilla-cit | Mozilla Community Ops | Tanner Filip (tanner) or Yousef Alam (yalam96) | |
mozilla-comm | Calendaring and Messaging related projects | ? | |
mozilla-cordova | Firefox OS Support for Apache Cordova | ? | |
mozilla-iot | Mozilla's Internet of Things program | David Bryant (dbryant), Ben Francis (bfrancis) | No longer active. Has transitioned to community ownership using new organization WebThingsIO. |
mozilla-raptor | Mozilla Raptor / Firefox OS Performance | Eli Perelman (eliperelman), Rob Wood (rwood) | |
mozilla-standards | Mozilla Standards (for IPR Contributions) | tantek, mt | |
mozillahispano | Mozilla Hispano | ? | |
MozillaResearch | Mozilla Research space | Lars Bergstrom (larsberg) | |
MozillaScience | Mozilla Science Lab | ? | |
mozillayvr | Mozilla Vancouver @MozillaYVR | Brian Clark (bclark), Stephanie Hobson (shobson) | |
mozfr | Mozilla Francophone | ||
opennews | Knight-Mozilla OpenNews | ? | |
rust-lang | The Rust Programming Language | Aaron Turon (aturon) | |
servo | Servo (browser engine written in Rust) | Lars Bergstrom (larsberg), Josh Matthews (jdm) | |
MozillaCH | Mozilla Switzerland | Michael Kohler (mkohler), freaktechnik (freaktechnik) | |
mozilla-payments | Implementation of Web Payment APIs | Caceres Marcos Caceres | |
mozilla-jetpack | Resources for Mozilla's Add-on SDK | ? | |
web-ext-experiments | WebExtension API Experiments | Andy McKay (andym) | |
MozillaCZ | Mozilla.cz | Michal Stanke (mstanke), Michal Vašíček (MekliCZ), Tomáš Zelina (zelitomas) | |
MozillaSK | Mozilla.sk | Michal Stanke (mstanke), Juraj Cigáň (kusavica) | |
common-voice | Common Voice | Jenny Zhang (phirework), Matrix: #common-voice:mozilla.org |
Why, yes! In no particular order:
- https://github.com/kinetiknz/cubeb/ : Cubeb cross platform audio library.
- https://github.com/djg/cubeb-rs/ : Rust bindings for cubeb.
- https://github.com/kinetiknz/nestegg/ : WebM demuxer.
- https://github.com/xiph/opus/ : Modern audio compression for the internet.
- https://github.com/webmproject/libvpx : Mirror only. Please do not send pull requests.
- https://github.com/campd/fxdt-adapters : Firefox Developer Tools protocol adapters
- https://github.com/kripken/emscripten : Emscripten: An LLVM-to-JavaScript Compiler
- https://github.com/bbondy/codefirefox : Video and exercise based tutorial site for coding Firefox and other Mozilla related technology
- https://github.com/nickdesaulniers/where-is-firefox-os : A map showing where in the world Firefox OS phones are being sold.
- https://github.com/jdm/bugsahoy : A landing page to make finding relevant bugs easier for new Mozilla contributors.
- https://github.com/w3c/web-platform-tests : Test Suites for Web Platform specifications
- https://github.com/w3c/wptserve : Web server designed for use with web-platform-tests
- https://github.com/w3c/wptrunner : Cross-browser and multi-platform test runner for web-platform-tests. Used in mozilla-central and servo.
- https://github.com/w3c/testharness.js : (no description)
- https://github.com/jdm/asknot : Ask not what Mozilla can do for you but what you can do for Mozilla.
- https://github.com/jeffbryner/MozDef: Mozilla Defense Platform.
- https://github.com/jgraham/webdriver-rust: WebDriver library for Rust.
- https://github.com/ehsan/mozilla-cvs-history: A git conversion of the full Mozilla CVS history, useful for code archaeology.
- https://github.com/djg/audioipc-2: Audio IPC for Gecko.
- https://github.com/hsivonen/encoding_rs: encoding_rs (character encoding converters for Gecko)
- https://github.com/choller/firefox-asan-reporter : Internal addon used in conjunction with special ASan builds of Firefox.
- https://github.com/jrmuizel/qcms : Fork of 'quick color management' for Firefox
- https://github.com/webcompat : Web Compatibility Team (Industry wide) -- Karl Dubost (kdubost)