Run: GitHub Repository Permissions and Access Review SOP

The repository administrator verifies the review period, the repositories in scope, and the reason for the access review. Record the following: - Repository name and owner - Review type: periodic review, new access request, permission change, or audit follow-up - Review period start and end dates - Required approver or control owner If the repository is not in scope, escalate to the control owner and stop the review.

The repository administrator exports or records the current repository collaborators, teams, roles, branch protection rules, and CODEOWNERS file location. Capture evidence for: - Direct collaborators and their permission levels - Teams with repository access - Branch protection rules on protected branches - CODEOWNERS file presence and path - Recent access changes since the last review

The security administrator compares each collaborator and team permission against the approved access list. Verify that: - Each user has a documented business need - Each permission level matches the approved role - No inactive, transferred, or terminated users retain access - No direct admin access exists unless explicitly approved Record any deviation as a non-conformance and assign an owner for remediation.

The repository administrator verifies that protected branches have the required controls enabled. Check for: - Required pull request reviews - Required status checks before merge - Restriction on force pushes - Restriction on branch deletion - Required review from code owners where applicable If a required control is missing, escalate to the repository owner and document the deviation.

The engineering manager verifies that the CODEOWNERS file covers critical directories, sensitive files, and release paths. Confirm that: - The CODEOWNERS file exists in the expected location - Critical paths are assigned to competent owners - Ownership is current for active teams and services - No critical path is left without an owner If coverage is incomplete, create a non-conformance and assign corrective action.

The repository administrator reviews any pending access request or permission change. Assess whether the request has: - Business justification - Least-privilege alignment - Manager or control-owner approval - Time-bound access if elevated permissions are requested

The repository administrator grants, modifies, or revokes the repository permission exactly as approved. Apply the minimum access required and confirm that the change is reflected in GitHub. If elevated access is granted, set a review date or expiration date where the platform supports it.

The security administrator escalates any unresolved deviation, missing approval, or control gap to the repository owner and compliance owner. Escalate when: - A user retains access without a valid business need - Branch protection is missing a required control - CODEOWNERS coverage is incomplete for critical paths - A permission change exceeds approved tolerance Do not close the review until the escalation owner records a disposition.

The repository administrator records the review outcome in the change log or ticketing system. Include: - Review date and reviewer name - Repositories reviewed - Permissions verified or changed - Branch protection status - CODEOWNERS coverage status - Deviations, non-conformances, and escalations - Final approval or closure note Retain evidence according to the organization's documented information retention requirements.