GitHub Permission Sync
Overview
GitHub Permission Sync has two parts:
- Link Claustrum users to GitHub identities (
github_user_links) - Sync repository permissions into Claustrum project roles
For detailed permission math and cache behavior, see:
Flow
- Connect GitHub App installation
- Sync repositories to cache and link repo-level projects
- Create user links (
user_id↔github_login, optionalgithub_user_id) - Run permission sync (
dry_runfirst (preview), then apply) - Claustrum computes
max(direct collaborator, team-derived permission)before role mapping
Modes
add_only (default)
- Adds missing
project_members - Upgrades role when GitHub permission implies a higher role
- Does not remove members
- Does not downgrade members
add_and_remove
- Applies add/update/remove for linked users
- Removes linked users that no longer have repo permission
- Owner protection rule is applied
Default Role Mapping
{
"admin": "maintainer",
"maintain": "maintainer",
"write": "writer",
"triage": "reader",
"read": "reader"
}
Operational Tips
- Use
dry_run=truebefore applying changes in production workspaces. - Large installations should sync in scheduled batches.
- GitHub API limits can cause partial success; check repo error list in sync result.
- Prefer storing
github_user_idfor rename resilience (login can change).
Unmatched Users
If a GitHub collaborator has no github_user_links match:
- it is counted in
skipped_unmatched - it appears in
unmatched_userspreview - no Claustrum role is changed for that identity
Endpoints
GET /v1/workspaces/:key/github/user-linksPOST /v1/workspaces/:key/github/user-linksDELETE /v1/workspaces/:key/github/user-links/:userIdPOST /v1/workspaces/:key/github/sync-permissionsGET /v1/workspaces/:key/github/permission-statusGET /v1/workspaces/:key/github/permission-preview?repo=owner/repoGET /v1/workspaces/:key/github/cache-status