I’m trying to improve our GitHub organization setup to enable an inner source approach. Although the repositories aiming for inner source collaboration are already ‘internal’ we still prefer to have a policy in place to prevent changes on the default branches you would typically protect. One way of going about this is to hand out ‘write’ access to all organization members and have protected branches in place. GitHub currently doesn’t support setting protected branches by default, so this quickly becomes a hassle to manage, requiring bots or alike.
Another way of working I could think of are personal forks. If you want to contribute you can create a personal fork and open a pull-request. Just as you would do for a public project. But what guarantees are in place for code security with personal forks from organization repositories? Will personal forks be deleted if a GitHub user is removed from the organization? Can personal forks allow outside collaborators even if the repository from the organization doesn’t? Knowing that forks are deleted if the main repository is deleted, I have the impression that security matters are quite good. Yet personal forking is disabled for organizations by default, which I find quite odd. It would seem the best way of work I could think of.
I hope somebody can ensure me that personal forks do not open a back door for code to escape the GitHub organization.