GitHub Access at Tractorbeam

Tractorbeam uses GitHub to host our source code. GitHub access is managed through Okta SSO with automatic team synchronization.

How It Works

┌─────────────────────────────────────────────────────────────────────────────┐
│                           Okta (Source of Truth)                            │
│                                                                             │
│  Users ──── SAML SSO ────► GitHub (authentication)                          │
│                                                                             │
│  Groups ─── Team Sync ───► GitHub Teams (membership synced automatically)   │
│             ├── Engineering     → engineering team                          │
│             ├── Platform-Admins → platform-admins team                      │
│             ├── Security        → security team                             │
│             └── Project-*       → project-* teams                           │
└─────────────────────────────────────────────────────────────────────────────┘

1. Add Tractorbeam Email to Your GitHub Account

You can use your personal GitHub account, but you must add your @tractorbeam.ai email address:

Go to GitHub Email Settings
Add your yourname@tractorbeam.ai email
Verify it via the confirmation email

Why this matters: GitHub notifications for the tractorbeamai organization are restricted to verified @tractorbeam.ai email addresses. Without this, you won't receive any email notifications for issues, PRs, or mentions.

2. Verify Okta Access

You must have an active Okta account at Tractorbeam. If you can log into tractorbeam.okta.com, you're all set.

3. Set Up Git Authentication

Use the GitHub CLI to configure SSH authentication:

bash

brew install gh
gh auth login

Select "GitHub.com" → "SSH" → follow the prompts. This handles SSH key generation, upload, and SSO authorization in one step.

Joining the tractorbeamai Organization

No tickets or requests needed. GitHub access is automatic through Okta:

Go to github.com/tractorbeamai
Click "Sign in with SAML"
Authenticate through Okta
You're now a member of the organization

Your team memberships sync automatically from your Okta groups. There's typically a short delay (up to 1 hour) for team sync after your first login.

Getting Access to Repositories

Repository access is controlled through GitHub Teams, which are synced from Okta groups.

Teams and Their Access

Okta Group	GitHub Team	Typical Access
Engineering	`engineering`	Most repositories (read/write)
Platform-Admins	`platform-admins`	Infrastructure repos (admin)
Security	`security`	Security-sensitive repos
Project-Carlyle	`project-carlyle`	Carlyle project repositories
Project-Mailman	`project-mailman`	Mailman project repositories

To Get Access to a Specific Repository

Ask your manager which Okta group grants access to the repository
Request group membership through your manager or IT
Once added to the Okta group, GitHub team membership syncs automatically

For Admins: Granting Repository Access

Ensure the user is in the correct Okta group
In GitHub, navigate to the repository → Settings → Collaborators and teams
Add the appropriate team with the desired permission level

Authentication

SSH Keys (Recommended)

The easiest way to set up SSH is with the GitHub CLI:

bash

gh auth login

If you already have an SSH key and need to authorize it for the org:

Go to GitHub SSH settings
Click "Configure SSO" next to your SSH key
Click "Authorize" for tractorbeamai

Personal Access Tokens

For automation and CI, use fine-grained personal access tokens:

Go to GitHub Tokens
Generate new token (Fine-grained)
Set resource owner to "tractorbeamai"
Select only the repositories and permissions needed
Click "Configure SSO" and authorize for tractorbeamai

Common FAQs

I logged in but can't see any repositories

Your team memberships may not have synced yet. Team sync can take up to 1 hour. If it's been longer:

Sign out of GitHub completely
Clear your browser cookies for github.com
Sign in again through Okta SSO
If still not working, verify your Okta group memberships with IT

I need access to a repository my team doesn't have

Contact the repository owner or your manager
They can either:
- Add your existing team to the repository
- Request you be added to a team that already has access

How do I create a new repository?

All organization members can create repositories:

Go to github.com/new
Set owner to "tractorbeamai"
Choose visibility (private recommended for new projects)
Create the repository
Add appropriate teams for access

New repositories automatically have:

Dependabot alerts enabled
Secret scanning enabled
Push protection for secrets

Why can't I force push to main?

Production repositories have branch protection that prevents force pushes and branch deletion on main. This is a safety net, not a process barrier. If you need to fix a broken main branch, contact Platform-Admins.

I'm getting "SAML SSO session expired" errors

Re-authenticate through Okta:

Go to tractorbeam.okta.com
Click the GitHub app tile
This refreshes your SAML session

For CLI tools, you may need to re-authorize your token or SSH key for SSO.

How do I recover access without my MFA device?

Since authentication goes through Okta, contact IT to reset your Okta MFA. GitHub-specific recovery codes are not applicable with SAML SSO.

What's the difference between Employees and Engineering teams?

Employees: All full-time employees. Basic org membership.
Engineering: Engineering team members. Has write access to most code repositories.
Contractors: Contract workers. Similar to Employees but separate for compliance.

You may be in multiple teams based on your role.

For Platform Admins

Team Infrastructure

Teams are created by Terraform (github/main.tf)
Team membership is synced from Okta groups
Team-to-Okta-group linking is a one-time manual step per team

Adding a New Team

Add to data/groups.json with "github_team": true
Run terraform apply in the github/ directory
Link to Okta group in GitHub UI:
- Go to github.com/orgs/tractorbeamai/teams/{team-slug}
- Settings → Sync group → Select matching Okta group

Organization Settings

Managed in github/main.tf:

Default repository permission: Read
Web commit signoff required: Yes
Secret scanning: Enabled for new repos
Dependabot: Enabled for new repos

Domain Verification and Email Restrictions

The tractorbeam.ai domain is verified with GitHub (DNS TXT records in cloudflare/records.tf).

Email notifications are restricted to verified @tractorbeam.ai addresses. This is configured manually in GitHub:

Go to Organization Security Settings
Under "Verified and approved domains", ensure tractorbeam.ai shows as verified
Under "Notification preferences", enable "Restrict email notifications to only approved or verified domains"

This setting isn't available in the Terraform provider, so changes must be made in the UI.

Production Repository Protections

The internal-infra repository has additional protections:

Cannot force push to main
Cannot delete main branch

To add a repository to production protections, add it to local.production_repos in github/main.tf.

GitHub Access at Tractorbeam ​

How It Works ​

Before Your First Login ​

1. Add Tractorbeam Email to Your GitHub Account ​

2. Verify Okta Access ​

3. Set Up Git Authentication ​

Joining the tractorbeamai Organization ​

Getting Access to Repositories ​

Teams and Their Access ​

To Get Access to a Specific Repository ​

For Admins: Granting Repository Access ​

Authentication ​

SSH Keys (Recommended) ​

Personal Access Tokens ​

Common FAQs ​

I logged in but can't see any repositories ​

I need access to a repository my team doesn't have ​

How do I create a new repository? ​

Why can't I force push to main? ​

I'm getting "SAML SSO session expired" errors ​

How do I recover access without my MFA device? ​

What's the difference between Employees and Engineering teams? ​

For Platform Admins ​

Team Infrastructure ​

Adding a New Team ​

Organization Settings ​

Domain Verification and Email Restrictions ​

Production Repository Protections ​