Git (GitLab / GitHub)
Hosting Chooser
Section titled “Hosting Chooser”Where you create a repo depends on the content and audience:
| Content Type | Where | Why |
|---|---|---|
| Open source / public training / demos | SaaS (GitLab.com / GitHub) | Public visibility |
| Partner pilot (NFR-eligible) | Partner SaaS (subject to NFR rules) | License terms |
| Internal product dev (non-AI) | Self-Managed (Premium) | Full control, private |
| AI platform / ML workloads | Self-Managed (Ultimate) | Advanced features, Duo |
Repository Naming
Section titled “Repository Naming”Repositories follow the standard naming pattern:
prv-{team}-{purpose}[-{qualifier}]| Repository | Purpose |
|---|---|
prv-plt-infra-tf | Platform infrastructure as code |
prv-plt-infra-gam-scripts | GAM automation scripts |
prv-eng-app-web | Web application |
prv-eng-lib-shared-utils | Shared utility library |
prv-sec-policy-compliance | Compliance policy definitions |
prv-ops-docs-runbooks | Operations runbooks |
prv-proj-biz-lib | Business library documentation |
Namespace Structure
Section titled “Namespace Structure”SaaS (GitLab.com / GitHub)
Section titled “SaaS (GitLab.com / GitHub)”One top-level group per organization:
| Org | GitLab | GitHub |
|---|---|---|
| PRV | gitlab.com/provisionr | github.com/provisionr |
These namespaces are for public or externally shared artifacts only.
Self-Managed
Section titled “Self-Managed”For self-managed GitLab instances, organize by team:
gitlab.{org}.cloud/ plt/ ← Platform Engineering eng/ ← Engineering sec/ ← Security ops/ ← Operations shared/ ← Cross-team librariesRole Groups for Git
Section titled “Role Groups for Git”| Role | Permission | Purpose |
|---|---|---|
prv-eng-role-gl-org-admin | Owner | GitLab instance administration |
prv-eng-role-gl-maintainer | Maintainer | Merge to protected branches |
prv-eng-role-gl-developer | Developer | Push to feature branches |
prv-eng-role-gl-read | Reporter | Read-only access |
Branch Protection
Section titled “Branch Protection”main/master: Protected. Merge via MR only. Require approvals.release/*: Protected. Tag-based releases.- Feature branches: Developer push allowed.
CI/CD Naming
Section titled “CI/CD Naming”CI/CD pipelines and runners follow automation account naming:
| Account | Purpose |
|---|---|
prv-plt-auto-gl-ci-runner | CI runner identity |
prv-eng-auto-gl-deploy | Deployment automation |
prv-sec-auto-gl-scanner | Security scanning automation |
Guardrails
Section titled “Guardrails”- No production secrets in repos (use vault/secret manager).
- All repos require code review before merge to protected branches.
- CI/CD uses service accounts, not personal tokens.
- Repository naming must follow the
prv-{team}-{purpose}pattern.