Creating New Repos with the GitHub Access Manager
The container-platform-github-access repo manages GitHub repository settings, team access, branch protection rulesets, and compliance standards for all Container Platform repositories via Terraform.
This guide describes how to create a new repository using the manager repo.
Prerequisites
- You have write access to container-platform-github-access
- You have access to the GitHub App installation settings for “Container Platform Access”
- Your commits are signed (GPG or SSH)
Step 1: Add the repo config
Add a new entry to github-repositories.tf:
container_platform_something_new = {
name = "container-platform-something-new"
description = "Description of the repo"
has_projects = true
access = {
admins = [module.github_team.id, data.github_team.cloud_platform_engineers.id, data.github_team.webops.id]
pushers = [data.github_team.all_org_members.id]
}
}
Step 2: Using the template repo
To create a repo from container-platform-terraform-template, you must set use_template = true. Without it, the repo is created empty:
container_platform_terraform_foo = {
name = "container-platform-terraform-foo"
description = "Foo Terraform module for the Container Platform"
use_template = true
has_projects = true
access = {
admins = [module.github_team.id, data.github_team.cloud_platform_engineers.id, data.github_team.webops.id]
pushers = [data.github_team.all_org_members.id]
}
}
The template is hardcoded to:
- Owner:
ministryofjustice - Repository:
container-platform-terraform-template
These are set in modules/github/repository/variables.tf. To use a different template, you would need to modify the module call in github-repositories.tf to pass through template_repository_owner and template_repository.
Step 3: Optional settings
Override module defaults as needed:
# Internal repo
visibility = "internal"
# Template repo (others can create repos from it)
is_template = true
# GitHub Pages
pages_enabled = true
pages_configuration = {
cname = "my-site.service.justice.gov.uk"
}
# Discussions
has_discussions = true
# Custom topics
topics = ["custom-topic-1", "custom-topic-2"]
Notable defaults for new repos:
has_wiki = false(wiki disabled)has_projects = false(must settrueif needed)allow_merge_commit = false(only squash merge allowed)delete_branch_on_merge = trueweb_commit_signoff_required = truearchive_on_destroy = true(removing from config archives the repo, does not delete it)
Step 4: Adding new team access
If the repo needs a team that is not already in data.tf, add a data source first:
data "github_team" "new_team" {
slug = "new-team-slug"
}
Then reference it in the repo config:
access = {
admins = [module.github_team.id, data.github_team.cloud_platform_engineers.id]
pushers = [data.github_team.new_team.id]
}
What gets created automatically
For each repo added, the module creates:
- The repository with all settings applied
- A branch protection ruleset on the default branch (signed commits, code owner reviews, stale review dismissal, linear history)
- Dependabot security updates enabled
- Team access (admin and push)
- Security and analysis settings (secret scanning, push protection)
- Default topics:
ministryofjustice,container-platform
GitHub App access
Newly-created repositories do not require any manual GitHub App scope changes. The “Container Platform Access” app creates the repository and is automatically granted access to it, so the apply will not fail with a 403 error.
[!NOTE] This is different from importing an existing repository. Because the app cannot be granted access to a repository that does not exist yet, the manual scope step only applies to imports. For that workflow, see the Importing Existing Repositories runbook.
Troubleshooting
- Applying a template to an existing repository does nothing.