This directory contains scripts for interacting with the GitHub API / GraphQL using the gh cli 🚀.
$ brew install gh # install gh cli on mac with brew
$ brew upgrade gh # upgrade$ choco install gh # install gh cli on windows with chocolatey
$ choco upgrade gh # upgradeMSI installer is available here
Other operating systems and install methods can be found here
# start interactive authentication
$ gh auth login
# start interactive authentication specifying additional scopes
$ gh auth login -s admin:org
# add additional scopes to existing token
$ gh auth refresh -s admin:org
# authenticate to github.com by reading the token from a file
$ gh auth login --with-token < mytoken.txt
# authenticate from standard input
$ echo ${{ secrets.GITHUB_TOKEN }} | gh auth login --with-token
# authenticate by setting an environment variable
$ export GH_TOKEN=${{ secrets.GITHUB_TOKEN }}
# authenticate to a GitHub Enterprise Server instance
$ gh auth login -h github.mycompany.com # -h github.com is the default- run: gh api -X GET --paginate /repos/joshjohanning/github-misc-scripts/pulls -f state=all --jq '.[].title'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}See the docs for further information.
Adds all members of an organization to a team.
Adds all users who are direct members of the repository to a ProjectV2 with a given role.
Requires: ./add-user-to-project.sh
Adds a status check to the branch protection status check contexts.
See the docs for more information.
Adds a CODEOWNERS file to a list of repositories.
- Run:
./generate-repositories-list.sh <org> > repos.csv- Or create a list of repos in a csv file, 1 per line, with a trailing empty line at the end of the file
- Run:
./add-codeowners-file-to-repositories.sh repos.csv ./CODEOWNERS false- For the 3rd argument, pass
trueif you want to overwrite existing file, otherwise it appends to existing
- For the 3rd argument, pass
Note
This checks for a CODEOWNERS file in the 3 possible locations (root, .github, and docs)
Adds a user with a specified role to a repository. Used in the ./copy-permissions-between-organization-repositories.sh script.
Adds a user from an Enterprise into an org. See: Documentation
Adds a .gitignore file to a list of repositories.
- Run:
./generate-repositories-list.sh <org> > repos.csv- Or create a list of repos in a csv file, 1 per line, with a trailing empty line at the end of the file
- Run:
./add-gitignore-file-to-repositories.sh repos.csv ./.gitignore false- For the 3rd argument, pass
trueif you want to overwrite existing file, otherwise it appends to existing
- For the 3rd argument, pass
Adds an IP to an enterprise's or organization's IP allow list.
Use the get-enterprise-id.sh or get-organization-id.sh script to get the owner ID.
See the docs for further information.
Adds a sub-issue (child) to an issue (parent). See: Community Discussions Post
This script adds a specified team to a list of repositories with specified permissions.
Adds a team to a repository with a given permission level
Example usage:
./add-team-to-repository.sh joshjohanning-org my-repo push my-team"Adds a user to a ProjectV2 with a given role
Example usage:
./add-user-to-project.sh <organization> <repository> <project-number> <role> <user>
./add-user-to-project.sh joshjohanning-org my-repo 1234 ADMIN joshjohanning"Example roles:
- ADMIN
- WRITER
- READER
- NONE
Adds a user to a repository with a given permission
Example usage:
./add-user-to-repository.sh joshjohanning-org my-repo write joshjohanning"This also will attempt to check if there is an existing invitation for this user pending, and if it's expired, cancel it. This can be opted out of by passing in true as the 5th parameter, such as
# don't check to see if existing invite is present; i.e. if adding existing organization user to repository
./add-user-to-repository.sh joshjohanning-org my-repo write joshjohanning true"Adds (invites) a user to an organization team
Invites users to a GitHub team from a list.
- Create a new csv file with the users you want to add, 1 per line
- Make sure to leave a trailing line at the end of the csv
- Run:
./add-users-to-team-from-list.sh users.csv <org> <team>
Example input file:
joshjohanning
FluffyCarlton
Adds a workflow file to the default branch in a CSV list of repositories
Usage:
1: Run ./generate-repositories-list.sh <org> > repos.csv
- Or create a list of repos in a csv file, 1 per line, with a trailing empty line at the end of the file
- DO NOT REMOVE TRAILING NEW LINE IN THE INPUT CSV FILE
2. Run: ./add-workflow-file-to-repositories.sh repos.csv ./docker-image.yml true 390793 41851701 ./my-app.2023-09-15.private-key.pem
Archives/unarchives repositories in bulk.
Given a file with a list of repository names, it will archive/unarchive the repositories.
The repos files list should be a file with the repository names, one per line in the format owner/repo.
By default it archives the repository, but if you pass false as the second argument it will unarchive the repositories.
usage: :
archive-repositories.sh <file> <archive state (true|false)>`Example input file:
mona/octocat
mona/lisa
octocat/octocatChange a repository visibility to internal, for example
Checks if a user is an enterprise admin (owner) using the GitHub GraphQL API.
Usage:
./check-enterprise-owner.sh <ENTERPRISE_SLUG> <USERNAME>Checks if a user is a member of an enterprise team using the GitHub API (private preview feature).
Usage:
./check-enterprise-team-membership.sh <enterprise> <team-slug> <username>Note
This script uses a private preview API for enterprise teams, which may change without notice.
Checks if a user is a member of a specific team in an organization using the GitHub API.
Usage:
./check-organization-team-membership.sh <organization> <team-slug> <username>Note
Your token must have the read:org scope to view team membership.
Checks if a user is a collaborator in a given repository and determines if they have admin access.
Usage:
./check-repository-admin.sh <OWNER> <REPOSITORY> <USERNAME>Copy organization members from one organization to the other, the member will retain the source role (owner or member), member cannot be demoted, if they already exist at the target with an owner role they cannot be demoted to member.
On Enterprise Managed Users organizations the users are only added if they are part of the Enterprise already (they need to be provisioned by the IDP)
On GitHub Enterprise Cloud the added users will get an invitation to join the organization.
Warning
For GitHub Enterprise Cloud the number of users you can copy in a day is limited per target org. See API note on rate limits for the limit values.
This script requires 2 environment variables (with another optional one):
- SOURCE_TOKEN - A GitHub Token to access data from the source organization. Requires
org:readandreposcopes. - TARGET_TOKEN - A GitHub Token to set data on the target organization. Requires
org:adminandreposcopes. - MAP_USER_SCRIPT - path to a script to map user login. This is optional, if you set this environment value it will call the script to map user logins before adding them on the target repo. The script will receive the user login as the first argument and it should return the new login. For example, if you want to add a suffix to the user login:
#!/bin/bash
echo "$1"_SHORTCODEYou can have more complex mappings this just a basic example, where a copy is being done between a GHEC and a GHEC EMU instance where the logins are going to be exactly the same, but the EMU instance has a suffix on the logins.
Copy organization team members from one organization to the other, the member will retain the source role (maintainer, member).
It copies the members of team members of teams in the source organization but only for teams that also exist in the target organization.
This script requires 2 environment variables (with another optional one):
- SOURCE_TOKEN - A GitHub Token to access data from the source organization. Requires
org:readscopes. - TARGET_TOKEN - A GitHub Token to set data on the target organization. Requires
org:adminandreposcopes. - MAP_USER_SCRIPT - path to a script to map user login. This is optional, if you set this environment value it will call the script to map user logins before adding them on the target repo. The script will receive the user login as the first argument and it should return the new login. For example, if you want to add a suffix to the user login:
#!/bin/bash
echo "$1"_SHORTCODEYou can have more complex mappings this just a basic example, where a copy is being done between a GHEC and a GHEC EMU instance where the logins are going to be exactly the same, but the EMU instance has a suffix on the logins.
Warning
If users are not members of the target organizations they will not be added to the target team but may receive an invite to join the org.
Copy organization variables from one organization to another.
If the variable already exists on the target organization it will be updated.
Warning
If the variable is available to selected repositories and a repository with the same doesn't exist on the target organization that association is ignored.
Copy user and team repository member permissions to another repository (it can be in the same or on different organizations).
External collaborators are not copied intentionally.
If the team (or children of that team) on the target organization doesn't exist, one will be created (same name, description, privacy, and notification settings ONLY),if the team has children teams those will also be created (full tree, not only direct children).
Note
The created team will not be a full copy, Only name, description and visibilility are honored. If the team is is associated with an IDP group it will not be honored. If you want to change this behavior, you can modify the internal/__copy_team_and_children_if_not_exists_at_target.sh script.
This script requires 2 environment variables (with another optional one):
- SOURCE_TOKEN - A GitHub Token to access data from the source organization. Requires
org:readandreposcopes. - TARGET_TOKEN - A GitHub Token to set data on the target organization. Requires
org:adminandreposcopes. - MAP_USER_SCRIPT - path to a script to map user login. This is optional, if you set this environment value it will call the script to map user logins before adding them on the target repo. The script will receive the user login as the first argument and it should return the new login. For example, if you want to add a suffix to the user login:
#!/bin/bash
echo "$1"_SHORTCODEYou can have more complex mappings this just a basic example, where a copy is being done between a GHEC and a GHEC EMU instance where the logins are going to be exactly the same, but the EMU instance has a suffix on the logins.
Copy environments from one repo to another.
It copies all environments and copies the following settings:
Note
The following settings are not copied:
Copy repository variables from one repo to another.
This script requires 2 environment variables:
- SOURCE_TOKEN - A GitHub Token to access data from the source organization. Requires
reposcope. - TARGET_TOKEN - A GitHub Token to set data on the target organization. Requires
reposcope.
The user running the command needs to be a repo admin or an organization owner on the target repository.
Copy team member from one team to another, it respect source role type (maintainer, member).
Note
Only direct members are copied, child team members are not copied.
If the target team already has user they will be preserved, this doesn't synch members between teams, it merely copies them. If you want a synch then you need to delete the existem team members in the target team before running this script.
This script requires 2 environment variables (with another optional one):
- SOURCE_TOKEN - A GitHub Token to access data from the source organization. Requires
org:readscopes. - TARGET_TOKEN - A GitHub Token to set data on the target organization. Requires
org:adminandreposcopes. - MAP_USER_SCRIPT - path to a script to map user login. This is optional, if you set this environment value it will call the script to map user logins before adding them on the target repo. The script will receive the user login as the first argument and it should return the new login. For example, if you want to add a suffix to the user login:
#!/bin/bash
echo "$1"_SHORTCODEYou can have more complex mappings this just a basic example, where a copy is being done between a GHEC and a GHEC EMU instance where the logins are going to be exactly the same, but the EMU instance has a suffix on the logins.
Warning
If users are not members of the target organizations they will not be added to the target team but may receive an invite to join the org.
Creates an organization in an enterprise
Creates organizations in an enterprise from a CSV input list
Creates an organization webhook, with a secret, with some help from jq
Create a new repo from a repo template - note that it only creates as public or private, if you want internal you have to do a subsequent call (see change-repository-visibility.sh)
Loops through a list of teams and creates them.
- Create a list of teams in a csv file, 1 per line, with a trailing empty line at the end of the file
- Child teams should have a slash in the name, e.g.
test1-team/test1-1-team - Build out the parent structure in the input file before creating the child teams; e.g. have the
test1-teamcome beforetest1-team/test1-1-teamin the file
- Child teams should have a slash in the name, e.g.
- Run:
./create-teams-from-list.sh teams.csv <org>
Example input file:
test11-team
test22-team
test11-team/test11111-team
test11-team/test11111-team/textxxx-team
Deletes all packages in an organization for a given package type.
Warning
This is a destructive operation and cannot be undone.
Deletes a release from a repository - need the ID of the release
Deletes a list of repositories.
- Run:
./generate-repositories-list.sh <org> > repos.csv - Clean up the
repos.csvfile and remove the repos you don't want to delete - Run
./delete-repositories-from-list.sh repos.csv - If you need to restore, you have 90 days to restore
Deletes all webhooks from a repository.
Warning
This operation is not reversible.
Deletes a repo - also works if the repository is locked from a failed migration, etc.
May need to run this first in order for the gh cli to be able to have delete repo permissions:
gh auth refresh -h github.com -s delete_repoLoops through a list of teams and deletes them.
- Create a list of teams in a csv file, 1 per line, with a trailing empty line at the end of the file
- Child teams should have a slash in the name, e.g.
test1-team/test1-1-team !!! Important !!!Note that if a team has child teams, all of the child teams will be deleted as well
- Child teams should have a slash in the name, e.g.
- Run:
./delete-teams-from-list.sh teams.csv <org>
Example input file:
test11-team
test22-team
test11-team/test11111-team
test11-team/test11111-team/textxxx-team
Important
If deleting a team with child teams, all of the child teams will be deleted as well
This DELETES ALL workflow runs for a particular workflow in a repo. Can pass in a workflow file name or workflow ID.
This disables all workflows in a repository; helpful if forking or copying someone else's code and you don't want all of the actions to continuously trigger.
Downloads the most recent migration archive/export for a given organization repository.
Downloads a release artifact from a private/internal repository. Can either download latest version or specific version, and supports file pattern matching to download one or multiple files. See docs for more info.
Using curl, wget, or gh release download to download public release assets.
Enable actions on repository - similar to API example, but using gh cli
Enables secret scanning on all repositories in an organization with support for both public and private repositories.
Usage:
./enable-secret-scanning-on-repositories.sh joshjohanning-org
./enable-secret-scanning-on-repositories.sh joshjohanning-org trueThe second parameter is optional for dry-run mode (true/false, defaults to false).
Features:
- Automatically handles Advanced Security enablement for private repositories when required
- Dry-run mode to preview changes without making modifications
- Comprehensive error handling and reporting
- Skips repositories where secret scanning is already enabled
Note
This requires admin access to the repositories. For private repositories, the organization must have GitHub Advanced Security enabled.
Finds attachments in issues, pull requests, and optionally, issue/pull request comments. This finds both screenshots and file attachments.
Finds and optionally cancels expired repository invitations across all repositories in an organization.
Usage:
./find-expired-repository-invitations.sh joshjohanning-org
./find-expired-repository-invitations.sh joshjohanning-org cancelActions:
list(default) - List all expired invitations across all repositoriescancel- Cancel all expired invitations across all repositories
Note
This requires admin access to the repositories in the organization.
Generates release notes between two tags. See the release notes docs on further customizations and the API docs for info on the API.
Generates a list of repos in the organization - has many uses, but the exported repos can be used in the delete-repositories-from-list.sh script.
Credits to @tspascoal from this repo: https://github.com/tspascoal/dependabot-alerts-helper
- Run:
./generate-repositories.sh <org> > repos.csv
Generates a list of users from a team in the organization - has many uses, but the exported users can be used in the remove-users-from-org.sh script.
- Run:
./generate-users-from-team <org> <team> > users.csv
Gets the status of Actions on a repository (ie, if Actions are disabled)
Exports repository variables and their values from all repositories in an organization to a CSV file.
Usage:
./get-actions-repository-variables-in-organization.sh my-org
./get-actions-repository-variables-in-organization.sh my-org repo-variables.csv
./get-actions-repository-variables-in-organization.sh my-org output.csv --repos-file=repos.txt # optionally specify an input file insteadNote
Requires write access to repositories to retrieve variables
Returns a list of all actions used in an organization using the SBOM API
Usage:
./get-actions-usage-in-organization.sh <org> [count-by-version|count-by-action] [txt|csv|md] [--resolve-shas] [--dedupe-by-repo]
Examples:
./get-actions-usage-in-organization.sh joshjohanning-org count-by-version txt > output.txt./get-actions-usage-in-organization.sh joshjohanning-org count-by-action md > output.md./get-actions-usage-in-organization.sh joshjohanning-org count-by-version txt --resolve-shas > output.txt./get-actions-usage-in-organization.sh joshjohanning-org count-by-action txt --dedupe-by-repo > output.txt
Output formats:
txt(default) - Plain text formatcsv- Comma-separated valuesmd- Markdown table format
Count methods:
count-by-version(default) - Count actions by version (actions/checkout@v2 separate from actions/checkout@v3)count-by-action- Count actions by name only (versions stripped)
Optional flags:
--resolve-shas- Resolve commit SHAs to their corresponding tags (works with count-by-version only)--dedupe-by-repo- Count unique repositories per action (works with count-by-action only)
Example output (count-by-version) (with --resolve-shas):
Count,Action
4 actions/upload-artifact@v4
3 actions/setup-node@v3
2,actions/[email protected]
2,actions/checkout@main
2,actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # sha not associated to tag
2,actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
2,actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
1,actions/dependency-review-action@v4
1,actions/checkout@v4Example output (count-by-action) (with --dedupe-by-repo):
Count,Action
3,actions/checkout
2,actions/upload-artifact
2,actions/setup-node
1,actions/dependency-review-actionTip
If outputting to txt or md, you'll see a warning message for each repository that returned an error (because Dependency Graph is disabled). You will also see an informational message providing context around what the count is returning. csv returns clean data.
Note
The count returned is the # of repositories that use the action@version combination - if a single repository uses the action@version combination 2x times, it will only be counted 1x (unless using count-by-action in combination with --dedupe-by-repo, which counts unique repositories per action). Conversely, if different action@version combinations are being used, they will be counted separately (for example, if the same action appears twice in a repository but one uses @v2 and one uses @v3, by default they will be counted separately unless using count-by-action in combination with --dedupe-by-repo).
Note
Using --resolve-shas will add additional API calls, but we attempt to cache tag lookups to improve performance. The cache is stored in temporary files and automatically cleaned up when the script exits.
Returns a list of all actions used in a repository using the SBOM API
Usage:
./get-actions-usage-in-repository.sh <org> <repo> [--resolve-shas]
Examples:
./get-actions-usage-in-repository.sh joshjohanning-org ghas-demo./get-actions-usage-in-repository.sh joshjohanning-org ghas-demo --resolve-shas
Optional flags:
--resolve-shas- Resolve commit SHAs to their corresponding tags
Example output (with --resolve-shas):
actions/checkout@v4
actions/dependency-review-action@v4
ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # sha not associated to tag
actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # sha not associated to tag
actions/checkout@v3
github/codeql-action/analyze@v2
github/codeql-action/autobuild@v2
github/codeql-action/init@v2Note
Using --resolve-shas will add significant time to resolve commit SHAs to their corresponding tags
Gets all users who have created an issue, pull request, issue comment, or pull request comment in a repository.
Generates a JWT for a GitHub app and use that JWT to generate installation tokens for each org installation. The installation tokens, returned as ghs_abc, can then be used for normal API calls. It requires the App ID and Private Key pem file as input.
Note
- Not using
gh-clisince we have to pass in JWT usingcurl(but otherwise no PAT required) - Similar script to get-apps-installed-in-organization.sh, but this one doesn't have a python dependency
- Thanks @kenmuse for the starter!
Get the slug of the apps installed in an organization.
Gets a branch protection rule for a given branch.
Gets the branch protection status check contexts.
See the docs for more information.
Get code scanning analyses status for every repository in an organization.
Example output:
"joshjohanning-org/ghas-demo","CodeQL","refs/pull/140/merge","2023-04-28T07:08:36Z",".github/workflows/codeql-analysis.yml:analyze"
"joshjohanning-org/zero-to-hero-codeql-test","CodeQL","refs/heads/main","2023-04-23T20:28:16Z",".github/workflows/codeql-analysis.yml:analyze"
"joshjohanning-org/Python_scripts_examples","CodeQL","refs/heads/main","2023-04-24T14:21:16Z",".github/workflows/codeql-analysis.yml:analyze"
joshjohanning-org/.github, no code scanning results
"joshjohanning-org/azdo-terraform-tailspin","defsec","refs/heads/main","2023-04-22T21:35:22Z",".github/workflows/tfsec-analysis.yml:tfsec"Gets the commits of since a certain date - date should be in ISO 8601 format, ie: since=2022-03-28T16:00:49Z
Gets dependencies used in the repository, including the ecosystem and version number.
Example output:
npm/[email protected]
pypi/[email protected]
maven/io.jsonwebtoken/[email protected]
golang/github.com/mattn/[email protected]
githubactions/actions/checkout@3In a 1 year block, return the date of the first non-public contribution
The date of the first restricted contribution the user made in this time period. Can only be non-null when the user has enabled private contribution counts.
See also: Another example
This queries the Enterprise audit log API to specifically return if features have been enabled or disabled in an organization since a given date.
Additional resources:
- Using the audit log API for your enterprise
- Searching the audit log for your enterprise
- Get the audit log for an enterprise
Get the enterprise ID used for other GraphQL calls. Use the URL slug of the Enterprise as the input.
Adding -H X-Github-Next-Global-ID:1 per the documentation here to get the new ID format:
- https://github.blog/changelog/2022-11-10-graphql-legacy-global-id-deprecation-message/
- https://docs.github.com/en/graphql/guides/migrating-graphql-global-node-ids
Gets the current IP allow list for an enterprise.
See the docs for further information.
Get a list of all members in an enterprise
Get a list of organizations in an enterprise the user is a member of
Gets the organizations in an enterprise and the returns number of members in each organization. If the user calling the script isn't a member of a particular organization, it will return 0 members.
Gets all organizations for a given enterprise, requires the enterprise slug. Handles pagination and returns the organization id and login.
To get the list of all org names you can use jq to parse the JSON output:
./get-enterprise-organizations.sh octocat-corp | jq -r '.data.enterprise.organizations.nodes[].login'Get a list of all owners (administrators) in an enterprise
Queries every organization in an enterprise and returns whether the user is a member or a member + admin of the organization.
Queries the enterprise for all organizations given the specified role (e.g.: which organizations is the user an admin of)
Gets a list of self-hosted runners configured at the enterprise level for an enterprise.
Gets info about an enterprise using the EnterpriseOwnerInfo GraphQL object.
Gets the status of a GitHub Enterprise Importer (GEI) migration.
Gets the issue type of an issue. See: Community Discussions Post
Gets the usage of a label in a repository. Returns data in table format.
Gets migration information using GraphQL API for a given migration ID.
Usage:
./get-migration-info.sh RM_kgDaACQzNWUwMWIxNS0yZmRjLTRjYWQtOTUwNy00YTgwNGNhZThiMTkOutput:
🔍 Fetching migration information for ID: RM_kgDaACQzNWUwMWIxNS0yZmRjLTRjYWQtOTUwNy00YTgwNGNhZThiMTk
📊 Migration Information
=======================
🆔 Migration ID: RM_kgDaACQzNWUwMWIxNS0yZmRjLTRjYWQtOTUwNy00YTgwNGNhZThiMTk
🌐 Source URL: https://github.com/joshjohanning-org/export-actions-usage-report
📍 Migration Source: GHEC Source
📊 State: SUCCEEDED
❌ Failure Reason:
✅ Migration information retrieved successfully
Note
Migration ID is the GraphQL node ID (not the REST API migration ID). Requires using a classic Personal Access Token (ghp_*) with appropriate scopes set as the GITHUB_TOKEN environment variable.
Returns the most recent migration ID for a given organization.
Returns the most recent migration ID for a given organization repository.
Gets a list of repositories in an organization that have had code pushed to it in the last X days.
Gets a TSV with a list of CODEOWNERS files that have errors in them, this will allow to identify which CODEOWNERS requires fixing.
The list will contain the repository name, source (CODEOWNERS file), and kind of error.
Repositories with no CODEONWERS files or CODEOWNERS errors will not be listed.
Get the organization ID used for other GraphQL calls. Use the login of the Organization as the input.
Adding -H X-Github-Next-Global-ID:1 per the documentation here to get the new ID format:
- https://github.blog/changelog/2022-11-10-graphql-legacy-global-id-deprecation-message/
- https://docs.github.com/en/graphql/guides/migrating-graphql-global-node-ids
Gets the current IP allow list for an organization.
See the docs for further information.
Get a total count of the primary language of repositories in an organization.
Example output:
21 Shell
11 JavaScript
11 Dockerfile
10 C#
4 Java
Gets a list of members in an organization using the REST API (able to get their ID to tie to Git event audit log)
Gets a list of members (via GraphQL) and their role in an organization
Gets a summary of all migrations (imports) against a given organization with GitHub Enterprise Importer
example:
$ ./get-organization-migrations-summary.sh octocat
Not started 0
Pending validation 0
Failed validation 0
Queued 0
In progress 0
Succeeded 3
Failed 7
========================
Total 10Gets a TSV with a list of migrations (imports) performed (or being performed) on a given organization with GitHub Enterprise Importer
It contains the following data:
- Migration Id
- Source URL of the migration source repo
- Created At
- Migration State
- Failure Reason
- Warnings Count in case the migration succeeded with warnings
- Migration Log URL to download the migration logs, you can use gh-gei to download the logs (note the logs are only available 24h)
By default, it returns all migrations, but there is an optional max-migrations parameter to limit the number of migrations returned (must lower or equal to 100)).
Returns the migrations (exports) against an organization.
Gets a list of repositories in an organization that have one or more given custom properties values.
There are two mandatory parameters. The organization name and one property (with value).
The property is defined with the format PROPERTYNAME=VALUE (the property name is case insensitive, but the value is case sensitive), you can specify more than one property. If you specify more than one property, repos with the conjunction of all properties will be returned.
prints all repo names that have a property with name production and value true:
./get-organization-repositories-by-property.sh octocat production=trueprints all repo names that have a property with name production and value true and a property wth name cloud and value true:
./get-organization-repositories-by-property.sh octocat production=true cloud=trueGets the repository count in an organization
Gets a list of all self-hosted runners in an organization, including org-level and repo-level runners.
Gets a list of self-hosted runners configured at the organization level for an organization.
Gets a list of all repo-level self-hosted runners in all repos in an organization.
Gets the members of a team
Gets a team
Gets a list of webhooks (and webhook information) in an organization
Note
Requires a GitHub PAT instead of using the OAuth token with the gh api command - the OAuth token can only retrieve webhooks it created
Gets the count of apps in all organizations in a given enterprise
Gets a list of apps (and app information) in all organizations in a given enterprise
Gets the count of custom repository roles in all organizations in a given enterprise
Gets the count of discussions in all organizations in a given enterprise
Gets the list of organizations a user is a member of. This only returns organizations accessible to the person running the script, i.e.: organizations they are also a member of, or public organizations
Gets the count of organization projects (classic projects) in all organizations in a given enterprise
Gets the count of projects (ProjectsV2) in all organizations in a given enterprise
Gets the usage of CODEOWNERS files in all repositories in all organizations in a given enterprise (checks HEAD for ./, ./.github, and ./docs and returns TRUE or FALSE for each repository)
Gets the usage of discussions in all repositories in all organizations in a given enterprise (org-wide discussions have to be created in a repository, so this covers that as well)
Gets a list of self-hosted runners configured at the organization level for all organizations in an enterprise
Gets the settings for all organizations in an enterprise
Gets a count of webhooks (and webhook information) in all organizations in an enterprise
Note
Requires a GitHub PAT instead of using the OAuth token with the gh api - the OAuth token can only retrieve webhooks it created
Gets a list of webhooks (and webhook information) in all organizations in an enterprise
Note
Requires a GitHub PAT instead of using the OAuth token with the gh api - the OAuth token can only retrieve webhooks it created
Get outside collaborators added to a repository
Retrieve the download URL for the latest version of a package in GitHub Packages. See: Documentation
Note
No longer works for GitHub.com and deprecated for GHES 3.7+. See Changelog post, GraphQL breaking changes, and GHES 3.7 deprecations
Retrieve the download URL for a specific version of an Maven package in GitHub Packages.
Retrieve the download URL for a specific version of an NPM package in GitHub Packages.
Retrieve the download URL for a specific version of an Maven package in GitHub Packages.
Retrieve the download URL for a specific version of a package in GitHub Packages. See: Documentation
Note
No longer works for GitHub.com and deprecated for GHES 3.7+. See Changelog post, GraphQL breaking changes, and GHES 3.7 deprecations
Gets the parent issue of a given sub-issue (child). See: Community Discussions Post
Extracts all items from a GitHub Projects V2 board with comprehensive details including content, custom field values, and project item type (draft or issue).
Usage:
./get-project-board-items.sh my-org 123The script outputs formatted information for each project item including:
- Issue/PR details with repository links and numbers
- Draft issue content
- Custom field values (Status, Priority, etc.)
- Labels and descriptions with clean formatting
Note
Works with Projects V2 (newer project boards). Find the project number in the URL: github.com/orgs/ORG/projects/NUMBER
Gets ProjectsV2 added to a repository
Gets ProjectsV2 in an organization
Gets the pull requests in an organization
Gets the pull requests in a repository
Gets a list of releases for a repository
Gets a CSV with the list of repository autolinks in a GitHub organization.
Generates a CSV with 4 columns:
- repo name - The repository name
- preffix - The autolink prefix
- url template - The autolink url template
- autonumeric - If the autolink is autonumeric or not (true/false)
Get repositories not using actions, by files committed in the .github/workflows directory
Gets the list of organization secrets that are available by repository (all repositories).
Public repositories are ignored and not listed.
A repository can only use a max of 100 organization secrets that are available to it. The purpose of this script is to get list of repositories and the number of organization secrets available to them mostly to figure out if you are hitting the limit and not all secrets are really available.
usage:
get-repositories-organization-secrets-count.sh my-org-name
Public repo i-am-public Skipping it
Secrets count for my-org-name by repo:
repo1: 102 secrets
repo2: 103 secretsGet repositories using actions, by files committed in the .github/workflows directory
Get repositories that have a CircleCI configuration file .circleci/config.yml
(not perfect, doesn't search for codeql*.yml)
Get repositories that have a CodeQL configuration file .github/workflows/codeql.yml
Get repositories that have Dependabot version updates configured by checking for the presence of a .github/dependabot.yml file.
Usage:
./get-repositories-using-dependabot-version-updates.sh my-orgReturns a simple list of repository names followed by a count summary.
Gets a CSV with the list of repository webhooks in a GitHub organization.
Generates a CSV with 4 columns:
- repo name - The repository name
- is active - If the webhook is active or not
- webhook url - The url of the weehook
- secret - Webhook secret, it will be masked since the API doesn't return the actual secret.
This script is useful when doing migrations, to determine the kind of actions that might be needed based on the webhooks inventory.
Get the repository language information (ie: JavaScript, Python, etc) for all repositories in an organization. Can specify how many language results to return (top X).
Example output:
repo,language
ghas-demo,Java
zero-to-hero-codeql-test,C#
Python_scripts_examples,PythonGet the repository license information (ie: MIT, Apache 2.0, etc) for all repositories in an organization.
Gets a list of topics for a repository
Similar to get-repository-users-by-permission.sh except that it loops through all repositories. See the below note about cumulative permissions; if you query for push you will also get users for maintain and admin, but you can pass in a false and retrieve only users who have push.
Example output:
repo,login,permission
ghas-demo,joshgoldfishturtle,admin
ghas-demo,joshjohanning,admin
zero-to-hero-codeql-test,joshjohanning,admin
Python_scripts_examples,joshjohanning,adminGets a list of users by permission level for a repository (ie: retrieve the list of users who have admin access to a repository). For write access, use push as the permission. There is a flag to either cumulatively return permissions (ie: push returns those with maintain and admin as well), but the default is explicitly return users with the permission you specify.
Example output:
login,permission
joshgoldfishturtle,admin
joshjohanning,adminReturns the permission for everyone who can access the repo and how they access it (direct, team, org)
Gets details about a repo
Retrieves the SAML linked identity of a user in a GitHub Enterprise.
May need to run this first in order for the gh cli to be able to retrieve the SAML information for organizations:
gh auth refresh -h github.com -s admin:enterpriseRetrieves the SAML linked identity of a user in a GitHub organization.
May need to run this first in order for the gh cli to be able to retrieve the SAML information for organizations:
gh auth refresh -h github.com -s admin:orgGets the SBOM for a repository.
Uses the search API for code search.
Retrieves a list of both "personal access token" and "SSH key" credential types, the users associated with them, and their expiration (if applicable).
Retrieves all SSO enabled PATs users have created for an organization.
Retrieves all SSO-enabled SSH keys users have created for an organization.
Gets the sub-issues (children) of an issue (parent). See: Community Discussions Post
Gets a summary of the sub-issues (children) of an issue (parent). See: Community Discussions Post
Retrieves the ID of a user for other GraphQL calls
Gets a list of users directly added to repositories
Example output:
"ghas-demo", "joshjohanning", "ADMIN"
"ghas-demo", "FluffyCarlton", "WRITE"
"Test-Migrate", "joshjohanning", "ADMIN"Gets a list of workflow_dispatch inputs used to queue a workflow run since it's not available otherwise in the API
Example output:
[
{
"workflowName": "workflow-b",
"workflowId": "5870059990",
"inputs": {
"animal": "bee",
"color": "orange",
"food": "avocado"
},
"createdAt": "2023-08-15T17:45:21Z",
"conclusion": "success"
}
],Calls the ./add-user-to-repository.sh script to add a user to a repository (this is a wrapper script as an alias since invite == add).
Adds users to an organization team from a CSV input list.
Creates a (mostly) empty migration for a given organization repository so that it can create a lock.
Sets the parents of teams in an target organization based on existing child/parent relationship on a source organization teams.
This is useful to mirror a parent child/relationship between teams on two organizations.
This script requires 2 environment variables;
- SOURCE_TOKEN - A GitHub Token to access data from the source organization. Requires
org:readscopes. - TARGET_TOKEN - A GitHub Token to set data on the target organization. Requires
org:adminandreposcopes.
The script has three parameters:
source-org- The source organization name from which team hierarchy will be readtarget-org- The target organization name to which teams will be updated OR createdcreate parent(s) if not exist- OPTIONAL (defaultfalse) if set to true, the teams which have parents that do not exist in the target org, they will be created. (also creates parents of parents) otherwise it will print a message parent doesn't exist and it will skipped.
Removes specific branch protection status check(s) from a branch protection rule
See the docs for more information
Unsets the required status checks setting on a branch protection policy (and removes all checks with it)
See the docs for more information
Removes an enterprise user. See notes:
- Get enterprise id:
./get-enterprise-id.sh - Get user id by one of the following:
- List org members and get the id from there:
./get-organization-members.sh - Get user id:
./get-user-id.sh
- List org members and get the id from there:
Remove the issue type from an issue (set it to null). See: Community Discussions Post
Removes a sub-issue (child) from an issue (parent). See: Community Discussions Post
Removes a list of users from the organization.
- Create a list of users in a csv file, 1 per line, with a trailing empty line at the end of the file (or use
./generate-users-from-team <org> <team>) - Run:
./remove-users-from-org.sh <file> <org>
Renaming a repo
Revokes the SSO authorization for a PAT to an organization.
Code search in an organization.
See the docs and StackOverflow for more information.
Search for repositories in an organization with specific custom properties using GitHub's search API with custom property filters.
The script automatically adds the 'props.' prefix to property names and supports multiple search formats:
- Single property:
RepoType:IssueOps - Multiple properties (AND logic):
RepoType:IssueOps Environment:Production - Exclusion search:
no:RepoType(finds repos without the RepoType property) - Mixed queries:
RepoType:IssueOps&Environment:Production
Example usage:
./search-repositories-by-custom-property.sh joshjohanning-org 'RepoType:IssueOps'
./search-repositories-by-custom-property.sh joshjohanning-org 'no:RepoType'
./search-repositories-by-custom-property.sh joshjohanning-org 'RepoType:IssueOps Environment:Production'Set the branch protection status checks - and optionally create a branch protection rule if it doesn't exist or set the required status checks setting on an existing branch protection rule if it isn't set
Note
Set the App ID for GitHub Actions (15368), GitHub Advanced Security (57789), Azure Pipelines (9426), or CircleCI (302869) if you are using those as a source for status checks as a best practice (so the check can't be spoofed by another source/app).
See the docs for more information.
Sets the IP allow list rules for an enterprise or organization from a set of rules defined in a file. The script is idempotent; running it multiple times will only make the changes needed to match the rules in the file.
In order to ensure availability of the service, the script first adds all necessary rules and only after that will delete rules no longer applicable. This ensures no disruption of service if the change has an (partial) overlapping set of rules.
Optionally, you can opt-in in to save a backup of rules on GitHub before the changes are applied.
Warning
The script doesn't take into account if existing rules are active. If changes are made to an inactive rule it will be become active. If no changes are made, then active status will be ignored.
This script requires org:admin scope.
The file with the rules should be in the following format:
{
"list": [
{
"name": "proxy-us",
"ip": "192.168.1.1"
},
{
"name": "proxy-us",
"ip": "192.168.1.2"
},
{
"name": "proxy-eu",
"ip": "192.168.88.0/23"
}
]
}Note
The script logic is independent of the rules format since the file is normalized before comparisons are performed. If you want to use a different format, a surgical change to the rules normalization can be made (see script source code,search for CUSTOMIZE keyword)
Run the script in dry-run to get a preview of the changes without actually applying them.
Sets the IP allow list to enabled/disable for an enterprise or organization. You can't enable the IP allow list unless the IP running the script is in the list.
See the docs for further information.
Sets (or adds) a user to an organization with a specified role
Notable caps on the API:
- 50 requests per 24 hours for free plans
- 500 requests per 24 hours for organizations on paid plans
- these caps do not apply to Enterprise Managed Users (EMU)
Unlocks / deletes the lock for a migrated repository - requires the migration ID to be passed in.
Unlocks / deletes the lock for a migrated repository by getting the most recent migration ID and unlocking it.
Updates a branch protection rule for a given branch.
Adds your account to an organization in an enterprise as an owner, member, or leave the organization. This requires the user running the script to be an Enterprise Owner.
Updates / sets the issue type for an issue. See: Community Discussions Post
Simple script to verify that a user is a member of a team