This feature is only available with an active Enterprise license. Please add your license key to activate it.

This is an experimental feature. Certain functionality may be incomplete and breaking changes may ship in non-major releases. Have feedback? Submit a issue on GitHub.

Overview

Permission syncing allows you to sync Access Permission Lists (ACLs) from a code host to Sourcebot. When configured, users signed into Sourcebot (via the code host’s OAuth provider) will only be able to access repositories that they have access to on the code host. Practically, this means:

Code Search results will only include repositories that the user has access to.
Code navigation results will only include repositories that the user has access to.
Ask Sourcebot (and the underlying LLM) will only have access to repositories that the user has access to.
File browsing is scoped to the repositories that the user has access to.

Permission syncing can be enabled by setting the EXPERIMENT_EE_PERMISSION_SYNC_ENABLED environment variable to true.

docker run \
    -e EXPERIMENT_EE_PERMISSION_SYNC_ENABLED=true \
    /* additional args */ \
    ghcr.io/sourcebot-dev/sourcebot:latest

Platform support

We are actively working on supporting more code hosts. If you’d like to see a specific code host supported, please reach out.

Platform	Permission syncing
GitHub (GHEC & GHEC Server)	✅
GitLab	🛑
Bitbucket Cloud	🛑
Bitbucket Data Center	🛑
Gitea	🛑
Gerrit	🛑
Generic git host	🛑

Getting started

GitHub

Prerequisite: Add GitHub as an OAuth provider. Permission syncing works with GitHub.com, GitHub Enterprise Cloud, and GitHub Enterprise Server. For organization-owned repositories, users that have read-only access (or above) via the following methods will have their access synced to Sourcebot:

Outside collaborators
Organization members that are direct collaborators
Organization members with access through team memberships
Organization members with access through default organization permissions
Organization owners.

Notes:

A GitHub OAuth provider must be configured to (1) correlate a Sourcebot user with a GitHub user, and (2) to list repositories that the user has access to for User driven syncing.
OAuth tokens must assume the repo scope in order to use the List repositories for the authenticated user API during User driven syncing. Sourcebot will only use this token for reads.

How it works

Permission syncing works by periodically syncing ACLs from the code host(s) to Sourcebot to build an internal mapping between Users and Repositories. This mapping is hydrated in two directions:

User driven : fetches the list of all repositories that a given user has access to.
Repo driven : fetches the list of all users that have access to a given repository.

User driven and repo driven syncing occurs every 24 hours by default. These intervals can be configured using the following settings in the config file:

Setting	Type	Default	Minimum
`experiment_repoDrivenPermissionSyncIntervalMs`	number	24 hours	1
`experiment_userDrivenPermissionSyncIntervalMs`	number	24 hours	1

Getting Started

Features

Configuration

Upgrade

Permission syncing

Overview

Platform support

Getting started

GitHub

How it works

Getting Started

Features

Configuration

Upgrade

​Overview

​Platform support

​Getting started

​GitHub

​How it works

Overview

Platform support

Getting started

GitHub

How it works