Repo Access Rights to External Collaborators!

I am not a coder and quite new to GitHub.  We have created a private repo account and included the source code for a project that we need to continue with a different prospective independent developer than the one we started with.  However, we are in the processes of getting bids from different participants and they have asked to get access to the code.  Now, the question is if I add the different independent developers as collaborators, will they be able to see which colloborators I have granted  access to (l don’t want disclose which other firms are involved in the bidding process)? Also, how can I safeguard that the code doesn’t get tampered with? 

External collaborators, when added to a personal, non-organization repo, gets full Write access with no option for Read access. On the other hand, they don’t get access to the Settings tab because they don’t receive Admin access. On repos belonging to an organization, the admin or owner can grant an external collaborator Admin, Write, or Read access.

  • Read access means that they can:
    • See the code
    • Copy the code to their local machine
    • Open issues
    • Open PRs
    • Comment on issues or PRs
    • among other things that don’t affect the code directly
  • Write access means that they can do all of the above plus:
    • Add changes to the code directly without needing to use a PR
    • Merge PRs
  • Admin access means that tey can do all of the above plus:
    • See the settings of the repo, including seeing and inviting other external collaborators

So no matter which kind of repository you’re describing, adding an external collaborator means that they won’t be able to see other external collaborators _ so long as those collaborators don’t create or comment on Issues or PRs. _ But there is nothing in the system that is preventing them from doing so.

My best suggestion is that you could create multiple private repositories like project-code-bidder-1, project-code-bidder-2, project-code-bidder-3, etc and invite each bidder into the one with their name only.

I hope that helps!

1 Like

Thank you so much for your in detail response!  I have now granted access to a couple of competing firms that I believe that can do the job.  And apparently they’ve gotten access to the code, downloaded it and came back with a report.  I was under the impression when you add a collaborator in your Private Repo setting, then if any of the collaborators want access to the code it has to go through a PR and you will know when the code has been downloaded/accessed.  But this does not seem to be the case, and one will never find out when the code has been downloaded and worked with. And no proof of such activity either.  I was little surprised by this. Is there any way to monitor this type of activity with a Private account setting?

1 Like

I apologize that I wasn’t clear enough in my explanation. Unfortunately, no, there isn’t a way to monitor that activity.