GitHub @ SUNY Geneseo
Git vs. GitHub
Although Git and GitHub both have "Git" in their name, they are not the same thing.
Git is an open source version control system that is installed locally on your computer. You create local repositories for files, usually source code files and their associated documentation, which are then linked to a remote repository, such as GitHub, and changes to the files are pushed to and pulled from this storage repository to ensure you always have the most up-to-date versions of the files while also being able to review what has changed in the files between fetch operations. You can read more about Git and download it from the official Git website.
GitHub is a website that houses remote Git repositories from all over the world. This allows visitors to view other people's repositories, if they are publicly available, and download the code or even copy it to a repository of their own through a process known as cloning. You can also create a "fork" of a repository which is a copy of the code that you can keep synced to the original and use to suggest changes to the original code by submitting a "pull request". GitHub also provides additional features for its repositories, such as running certain actions when code is pushed or pulled. Multiple collaborators can be added to a single GitHub repository to work on a project together. Multiple repositories can be grouped under an organization, like SUNY Geneseo, for people within that organization to collaborate across repositories.
Explaining all the features of Git and GitHub is beyond the scope of this document. If you are just getting started and would like to learn more, GitHub offers documentation on both Git and their platform:
In the top left of the page, click on Version to change which version of GitHub the documentation provides information for. Free, Pro, & Team is sufficient for learning about your personal account, however, operations relating specifically to working with our organization will fall under the Enterprise Cloud version.
Do you Need Access to SUNY Geneseo's GitHub?
GitHub is available for anyone on the internet to use. Here are some facts to consider before you request access to our organization:
- If you are just looking to use GitHub for personal projects or to learn Git, you can create a free account at https://github.com at any time
- A free account can create public and private repositories which are owned by that account
- Access to these repositories and the code in them is not lost when you leave Geneseo
- Access to the SUNYGeneseo organization is an extension of your account rather than the core feature of it
- You only really need access to the SUNYGeneseo organization if you are collaborating on a project whose repository lives in or should live in the organization
Should your Repository Live in SUNYGeneseo?
Repositories that are created under your personal account belong to that account, and you will have access to them as long as you have access to the account. Repositories created under the SUNYGeneseo organization are owned by the organization, and you will lose all access to them when you leave Geneseo (unless they are public). With that in mind, here are the reasons your repository should live in the SUNYGeneseo organization:
- The project the code belongs to a Geneseo department which will continue to support the project after you leave
- The code is for operations in a campus department, and they will continue to use the code after you leave
- The code is for a class/research that should be retained by Geneseo after you leave
- The code is meant to be shared internally or the public with Geneseo as the owner rather than yourself
- You are a member of CIT working on a project that collaborates with other departments or the project is not for internal CIT use
How GitHub Accounts Work with our Organization
It is important to understand a few facts about how GitHub accounts work with our organization for SUNY Geneseo:
- Your GitHub account is not an account owned by SUNY Geneseo, instead it is a personal account you connect to our organization
- The account is connected to your Single Sign-on identity, allowing you to access our organization
- When you are invited to join the organization, you will receive the invitation in your Geneseo email, but your Geneseo email is not automatically added to any personal GitHub accounts you own, even when you sign in with an account to accept the invitation to the organization
- When you leave Geneseo, your access to the SUNY Geneseo GitHub organization is removed, however, your GitHub account is not deleted
Repositories you create in the SUNY Geneseo organization belong to that organization, and when you leave Geneseo, you will lose access to any internal or private repositories you created or were a member of. You will still be able to view any public repositories in the organization. You will also not lose access to any personal repositories you create under your account rather than the organization
You can tell who owns a repository by going to the repository's page. In the top left there will be text in the format of
Repository Owner
/Repository Name
. This is reflected in the URL for the repository as well (https://github.com/RepositoryOwner
/RepositoryName
). If the owner is SUNYGeneseo, then the repository is owned by the organization. If the owner is your GitHub username, then the repository is owned by you.
Steps to gain access to the SUNY Geneseo organization in GitHub
Sign up for a free personal account at https://github.com, if you do not already have one
It is highly recommended that you do not use your Geneseo email address as your primary email address on your GitHub account. This account is intended for you to be able to use all over GitHub, even after you leave Geneseo. Your Geneseo email account becomes inaccessible after a certain period of time when you leave Geneseo, and you will have difficulties accessing your GitHub account if it is the only email registered to the account. Review the article for Account Eligibility for more information on when your Geneseo account expires after you leave the college.
When creating a username for your account, be sure it does not violate the Information Technology Acceptable Use Policy or Student Code of Conduct. In addition to disciplinary action from Geneseo, it's possible GitHub itself may take actions against accounts they deem to violate their Acceptable Use Policy, which may include terminating your account. When creating your username, remember that your account will outlive your time at Geneseo. If you use GitHub in a future professional position, you do not want your username to reflect poorly on you.
- Add your Geneseo email as a verified email by following GitHub's documentation for adding another email to your account
- Gain access to the SUNY Geneseo organization by performing the following steps:
- Navigate to https://myapplications.microsoft.com/#optIn
- Click Add apps then Request new apps in the dropdown that appears
- On the Suggested apps page, click on GitHub - SUNYGeneseo
- Click Add
- In the Add app confirmation window that appears, click Add
- Once the confirmation message appears, you have begun the process of gaining access, but you may need to wait up to 40 minutes for it to be granted by the system
- Once access is granted, you will receive an email from GitHub informing you that you have been invited to join the @SUNYGeneseo organization by @gsusystems
- Clicking on the Join @SUNYGeneseo button or the invite link at the bottom of the email will take you to a sign in page where you will enter the credentials for your personal GitHub account or the ability to create an account if you do not already have one
- If you receive an error message about your account lacking a verified email address, make sure you are signing into the account you want to use for Geneseo and that you have added and verified your Geneseo email address on the account using the instructions linked in step 2
- You will be presented with a prompt to authenticate by logging into SUNY Geneseo's single sign-on provider, click Continue
- If you see a slightly different window with the option to create an account, do not create an account there if you did not create an account in step 1, as you will be required to use your Geneseo email which is not recommended
- If you see a slightly different window with the option to create an account, do not create an account there if you did not create an account in step 1, as you will be required to use your Geneseo email which is not recommended
- You will be redirected to the Microsoft sign in page
- Enter your Geneseo email, password, and complete the MFA prompt if required
- Your account is now associated to your Geneseo single sign-on identity, and you will be taken back to GitHub
- Your account now has access to the SUNY Geneseo organization
- At this point, you may create your own repository within the organization
- Any private repositories you are supposed to have access to may take up to 40 minutes for the access to be granted as that is the sync interval between GitHub and our single sign-on provider
GitHub PATs and SSH Keys
GitHub allows for the use of Personal Access Tokens (PATs) and Secure Shell Protocol (SSH) keys to access and write data to repositories. PATs can be used with the GitHub CLI as well as to access the GitHub API. Both PATs and SSH keys can be used to pull code from a GitHub repository to a local repository on your computer as well as push code from a local repository to a GitHub repository by using Git. The below examples show the different addresses used for communicating to a repository via PAT versus via SSH:
PATs and SSH keys should be treated with the same level as security as a password, as they can be used to access anything on GitHub your account has access to. You should secure SSH keys with a strong passphrase for extra security. To get started with PATs and SSH keys, review the GitHub guides for them listed below:
Because the SUNYGeneseo organization is configured with single sign-on, there are some additional caveats to using PATs and SSH keys. Personal access tokens (Classic) are disabled in the organization for security reasons. If you want to use a PAT, you must create a fine-grained personal access token. Any SSH key you want to use to access the organization must be authorized first. Refer to GitHub's documentation on how to authorize an SSH key for an organization that uses single sign-on.
GitHub Repository Visibility
In order to provide ease of use within the SUNYGeneseo organization, CIT has not restricted the types of repositories that members of the organization can create. This means it is up to repository owner to decide which level of visibility is acceptable for their code. The three repository visibilities are:
- Private - These repositories can only be seen by members who are directly given access to them, either by having their account added or by being member of a team with at least read permissions to the repository. Organization owners (members of CIT's Server and Endpoint Systems group) can also see private repositories.
- Internal - These repositories can be seen by anyone in the SUNY Geneseo enterprise, meaning both members of the SUNYGeneseo organization and some members of CIT beyond the organization owners. Specific users are granted additional permissions in the repository's settings.
- Public - These repositories can be seen by anyone on the web, regardless of their affiliation to Geneseo. Specific users are granted additional permissions in the repository's settings.
Hardcoded Secrets
Secrets are information like passwords, API keys, SSH private keys, basically anything that will grant access to a system/service beyond what is publicly available. A hardcoded secret is a secret included in your code unencrypted. Hardcoding secrets is not recommended in general, but it is easier for development and sometimes unavoidable. However, before you commit your code to GitHub, you should remove these secrets from your code. Private repositories are generally safe, since people added to the repository probably also know the secret, however, GitHub is a service hosted on the internet, meaning there is a chance of a data breach which exposes them. Internal repositories can be seen by anyone in Geneseo with access to GitHub. You likely do not want all those people to have access to your secrets. Public repositories are visible to everyone on the internet.
If you publish a secret to a public repository, it has been compromised, and you should regenerate the password/API key/SSH Key immediately to protect your data.
There are some free tools to help protect your secrets. Gitleaks is a free utility you can run on your local computer to scan your Git repositories for secrets. BFG Repo-Cleaner is a free tool used to clean secrets out of your Git commit history. Even if you don't have secrets in your code now, if you had them in your code at any point while using Git for version control, the secret is still accessible in the version history. However, BFG can be used to redact these secrets in the Git history, keeping your data safe. Using these two tools together is highly recommended to help protect your secrets.
Related articles
Still Need Help?
Ask CIT! Call (585-245-5588), chat, or submit a request and we'll be happy to assist you.