Requested Contribution

Setting up inner source requested contribution access to your repository.

This public content is an excerpt from Flutter staff GitHub docs. It is published as a reference to show how GitHub is used for inner source at Flutter.

Requested Contribution is one of several recommended access models for Flutter-Global repositories. It’s best for inner source repositories used by many teams which have a small, clearly defined contributor group. It allows all Flutter-Global members to use the repository code. It increases the effort to contribute by requiring an access request. It’s harder to setup than Open Contribution because you must manage your own contributor team. However, limited write access helps you manage the risk of any known weaknesses in your security controls.

Access Permissions

  • Grant the all-flutter-global team read permission.
  • Grant your contributor team write permission.
  • Grant a maintainer team admin permission.

To do this in a Codebase Governor repository file:

# enforce no admins other than owner & maintainers
admins: {}

# allow contribution from your contributor team
contributors:
  teams:
    - your-contributor-team-slug

# allow read access to all members of Flutter-Global
readers:
  teams:
    - all-flutter-global

You must decide how you wish to manage your contributor team. Read more about using existing teams or managing your own team here.

Contributor Protection

Choose from Audited Source, Reviewed Source or Multiple Team Source. If not sure – use Reviewed Source which requires a contributor to raise a pull request for approval by a maintainer. This requires branch protection – add this to your Codebase Governor repository file:

branch-protections:
  - patterns:
      - "main"
    parameters:
      required-reviews-count: 1
      requires-codeowner-reviews: true

To ensure maintainers must approve pull requests, add a CODEOWNERS file in the root directory of your repository referencing the capability maintainer team:

# replace 'example-name' with your capability name:
*       @Flutter-Global/maintainers-cap-example-name

Threat Analysis

This access model involves wide read permissions. Your threat analysis should consider:

  • Leaked Secrets : The wide visibility of the repository means wide exposure of a secret committed by mistake.
  • Leaked Content : The wide visibility of the repository means wide exposure of any sensitive intellectual property contained within it (e.g. pricing algorithms).

If the risk is too high – consider Requested Access instead.