Skip to content

authz/github: repo-centric groups sync does not account for repo being visibility `internal`

Created by: bobheadxi

This pertains to groupsCacheTTL-enabled sync only.

We don't currently honor GitHubs internal respositories, instead treating them as private, where they should actually be open to anyone that's a member of the GitHub org.

The current implementation only grants access to:

  • users with direct affiliations
  • the entire org, if org-level visibility is read
  • affiliated teams, if org-level visibility is not read

This needs to check for another case: if repo visibility is internal, we should grant access to the entire org as well

Note that this is not related to some of the other internal-visibility-related issues like the one outlined here: https://github.com/sourcegraph/sourcegraph/issues/17153#issuecomment-852846420