GitHub Org Administration — middag-io
Teams, rulesets, custom properties, visibility, and access control. References: ADR-001, ADR-002.
1. Organization Structure
Org settings
| Setting | Value |
|---|---|
| Org name | middag-io |
| Plan | GitHub Team |
| Default visibility | Private |
| Default permission | Read |
| 2FA | Required for all members |
Teams
| Team | Permission | Purpose |
|---|---|---|
engineering | Write | All developers |
admin | Admin | Org administration, repo management |
bots | Write | CI/CD bots, service accounts |
# Create team
gh api orgs/middag-io/teams -f name=engineering -f permission=push -f privacy=closed
# Add member
gh api orgs/middag-io/teams/engineering/memberships/{username} -X PUT -f role=member2. Repository Rulesets
See ADR-002 — Branch Model for complete branch protection rules and flow.
Rulesets are configured at org level and apply to all repos automatically. Two rulesets: main-protection (PR + 1 approval + status checks) and develop-protection (PR + status checks).
# View rulesets
gh api orgs/middag-io/rulesets --jq '.[].name'
# View specific ruleset
gh api orgs/middag-io/rulesets/{id}Bypass for .github repo
The .github org repo allows direct pushes to main by org admins (no PR required). Workflow changes need to land fast and are tested by consumer repos.
3. Custom Properties
Custom properties enable filtering repos across the org. See ADR-001 — Repository Naming Convention for the defined properties and their values.
Set properties
gh api repos/middag-io/{repo}/properties/values \
-X PATCH \
-f properties[][property_name]=platform -f properties[][value]=wordpress \
-f properties[][property_name]=component-type -f properties[][value]=plugin \
-f properties[][property_name]=deploy-target -f properties[][value]=production \
-f properties[][property_name]=has-ci -f properties[][value]=trueQuery repos by property
# All WordPress plugins
gh api orgs/middag-io/properties/values \
--jq '.[] | select(.properties[] | select(.property_name=="platform" and .value=="wordpress")) | .repository_full_name'
# All repos deploying to production
gh api orgs/middag-io/properties/values \
--jq '.[] | select(.properties[] | select(.property_name=="deploy-target" and .value=="production")) | .repository_full_name'4. Topics
Topics are mandatory per repo. See ADR-001 — Repository Naming Convention for the required topic categories and values.
# Add topics
gh repo edit middag-io/{repo} --add-topic wordpress,plugin,middag
# List repos by topic
gh repo list middag-io --topic wordpress --json name --jq '.[].name'5. Secrets and Variables
Org-level secrets
Managed in GitHub org settings → Secrets and variables → Actions.
# List org secrets
gh secret list --org middag-io
# Set org secret
gh secret set SECRET_NAME --org middag-io
# Set with visibility restriction
gh secret set SECRET_NAME --org middag-io --visibility private # only private repos
gh secret set SECRET_NAME --org middag-io --visibility all # all reposOrg-level variables
# List org variables
gh variable list --org middag-io
# Set org variable
gh variable set VAR_NAME --body "value" --org middag-ioRepo-level variables (feature flags)
# Set repo variable
gh variable set PUSH_TO_ECR --body "true" --repo middag-io/{repo}See G01 — CI/CD Guide for the complete secrets/variables reference and ADR-005 — 1Password + GitHub Integration for vault naming and service account setup.
6. Visibility and Access
Repository visibility
| Repo type | Visibility | Reason |
|---|---|---|
| Application | Private | Proprietary code |
| Infrastructure | Private | Contains deploy configs and secret refs |
.github | Public | Org profile visible on github.com |
| PHP libraries | Private | Distributed via privatesatis |
| Forks | Public | Upstream license requires it |
Changing visibility
# Make repo public
gh repo edit middag-io/{repo} --visibility public
# Make repo private
gh repo edit middag-io/{repo} --visibility privateAccess for external collaborators
# Add collaborator with read access
gh api repos/middag-io/{repo}/collaborators/{username} -X PUT -f permission=pull
# Remove collaborator
gh api repos/middag-io/{repo}/collaborators/{username} -X DELETE7. Maintenance Tasks
Periodic review
| Task | Frequency | How |
|---|---|---|
| Audit team membership | Monthly | gh api orgs/middag-io/teams/engineering/members |
| Review pending invitations | Weekly | gh api orgs/middag-io/invitations |
| Check stale repos | Quarterly | gh repo list middag-io --json name,pushedAt |
| Verify rulesets | Quarterly | gh api orgs/middag-io/rulesets |
| Rotate 1Password SA tokens | Annually | See G03 |
Transfer repo to org
# From personal account to org
gh api repos/{user}/{repo}/transfer -f new_owner=middag-ioArchive repo
gh repo archive middag-io/{repo}