Allow non-Owners to publish Orbs (aka granular permissions for orb publishing) | Orbs

CircleCI Ideas

Create

Home

Orbs

Allow non-Owners to publish Orbs (aka granular permissions for orb publishing)

under review

Eddie

Could be a project level API key with publishing permissions, or use team membership like contexts do. Some means to expand the population of folks who can deploy prod versions of orbs without giving them global admin rights in GH.

CCI-I-1108

July 30, 2019

Jeff Hall

This would be super useful. It's really important to us to keep our GH admin group small and only allowing admins to publish orbs is a pretty big blocker to private orbs and code reuse within our org.

Oran Bartell

marked this post as

under review

This feature is being considered for Q3/Q4 of this year.

Oran Bartell

Merged in a post:

Permit non-admins to publish unlisted orbs

Alex Turek

Right now we have our orbs repo set up to auto-publish after a successful master build. But the only people who can do that are CircleCI admins, who are of necessity Github org admins. This means we have to give GH admin to every dev who is working on our (private, internal to the company) orbs.
It'd be great to not have to grant that permission, or bottleneck on our few Github admins to update our internal orbs.
CCI-I-1398

February 27, 2020

November 23, 2021

Kristofer Borgstrom

Really hoping for a solution ASAP. Obviously making every developer and bot a github organization owner is not a feasible solution as it would completely destroy the whole access control setup. Thus killing off options of automated releases and developers handling publishing.

Dominik K

Related idea, but not restricted to unlisted orbs: https://ideas.circleci.com/ideas/CCI-I-1108

Alex Charles

Great idea! I've also encountered this at my organization.

Steven Harman

Needing to be an org-wide Admin to publish/update a production Orb is large hurdle for us. At best it means using some shared secrets - an API Token for some Admin - via Context/Env Var. This has a downside of rolling those crews if/when that GitHub admin leaves. Or we need to roll them for compliance or another reason.
At worst, it means a subset of our folks become gatekeepers for all of our Orb-related needs. And as the folks doing org-wide admin is intentionally limited, that's not going to work.
Hopefully something team-based can be rolled out!

Christer Edvartsen

Assigning permissions for publishing orbs based on teams sounds like a good idea.