Skip to main content

Creating New Repos with the GitHub Access Manager

The container-platform-github-access repo manages GitHub repository settings, team access, branch protection rulesets, and compliance standards for all Container Platform repositories via Terraform.

This guide describes how to create a new repository using the manager repo.

Prerequisites

  • You have write access to container-platform-github-access
  • You have access to the GitHub App installation settings for “Container Platform Access”
  • Your commits are signed (GPG or SSH)

Step 1: Add the repo config

Add a new entry to github-repositories.tf:

container_platform_something_new = {
  name         = "container-platform-something-new"
  description  = "Description of the repo"
  has_projects = true
  access = {
    admins  = [module.github_team.id, data.github_team.cloud_platform_engineers.id, data.github_team.webops.id]
    pushers = [data.github_team.all_org_members.id]
  }
}

Step 2: Using the template repo

To create a repo from container-platform-terraform-template, you must set use_template = true. Without it, the repo is created empty:

container_platform_terraform_foo = {
  name         = "container-platform-terraform-foo"
  description  = "Foo Terraform module for the Container Platform"
  use_template = true
  has_projects = true
  access = {
    admins  = [module.github_team.id, data.github_team.cloud_platform_engineers.id, data.github_team.webops.id]
    pushers = [data.github_team.all_org_members.id]
  }
}

The template is hardcoded to:

  • Owner: ministryofjustice
  • Repository: container-platform-terraform-template

These are set in modules/github/repository/variables.tf. To use a different template, you would need to modify the module call in github-repositories.tf to pass through template_repository_owner and template_repository.

Step 3: Optional settings

Override module defaults as needed:

# Internal repo
visibility = "internal"

# Template repo (others can create repos from it)
is_template = true

# GitHub Pages
pages_enabled = true
pages_configuration = {
  cname = "my-site.service.justice.gov.uk"
}

# Discussions
has_discussions = true

# Custom topics
topics = ["custom-topic-1", "custom-topic-2"]

Notable defaults for new repos:

  • has_wiki = false (wiki disabled)
  • has_projects = false (must set true if needed)
  • allow_merge_commit = false (only squash merge allowed)
  • delete_branch_on_merge = true
  • web_commit_signoff_required = true
  • archive_on_destroy = true (removing from config archives the repo, does not delete it)

Step 4: Adding new team access

If the repo needs a team that is not already in data.tf, add a data source first:

data "github_team" "new_team" {
  slug = "new-team-slug"
}

Then reference it in the repo config:

access = {
  admins  = [module.github_team.id, data.github_team.cloud_platform_engineers.id]
  pushers = [data.github_team.new_team.id]
}

What gets created automatically

For each repo added, the module creates:

  • The repository with all settings applied
  • A branch protection ruleset on the default branch (signed commits, code owner reviews, stale review dismissal, linear history)
  • Dependabot security updates enabled
  • Team access (admin and push)
  • Security and analysis settings (secret scanning, push protection)
  • Default topics: ministryofjustice, container-platform

GitHub App access

Newly-created repositories do not require any manual GitHub App scope changes. The “Container Platform Access” app creates the repository and is automatically granted access to it, so the apply will not fail with a 403 error.

[!NOTE] This is different from importing an existing repository. Because the app cannot be granted access to a repository that does not exist yet, the manual scope step only applies to imports. For that workflow, see the Importing Existing Repositories runbook.

Troubleshooting

This page was last reviewed on 29 June 2026. It needs to be reviewed again on 29 December 2026 by the page owner #cloud-platform-notify .