Overview
Establish InnerSource governance in repositories to enable internal open-source collaboration patterns. Provides standardised contribution workflows, community documentation templates, ownership models, and transparent decision-making processes within an organisation.
When to Use
- •Setting up a new repository that will follow InnerSource principles
- •Converting an existing repository to InnerSource governance model
- •Establishing contribution guidelines for internal open-source projects
- •Bootstrapping community documentation (CONTRIBUTING, CODE_OF_CONDUCT, etc.)
- •Defining maintainer responsibilities and ownership models
Core Workflow
- •Create required documentation files (README.md, CONTRIBUTING.md, CODE_OF_CONDUCT.md, CODEOWNERS, GOVERNANCE.md)
- •Configure CODEOWNERS with appropriate team assignments and component ownership
- •Set up branch protection requiring CODEOWNERS approval and status checks
- •Configure issue and PR templates with required sections
- •Document review turnaround expectations and decision-making processes
- •Enable and configure CI/CD to run on all PRs
- •Announce InnerSource status to potential contributors
Core
When to use
- •Setting up a new repository that will follow InnerSource principles.
- •Converting an existing repository to InnerSource governance model.
- •Establishing contribution guidelines for internal open-source projects.
- •Bootstrapping community documentation (CONTRIBUTING, CODE_OF_CONDUCT, etc.).
- •Defining maintainer responsibilities and ownership models.
Policy (non-negotiable)
- •All InnerSource repositories MUST have explicit contribution guidelines.
- •Ownership and maintainer responsibilities MUST be documented.
- •Decision-making processes MUST be transparent and documented.
- •Code review requirements MUST be defined before accepting contributions.
Load: documentation-requirements
Required documentation artifacts
Every InnerSource repository MUST contain these files:
| File | Purpose |
|---|---|
README.md | Project overview, getting started, and quick links |
CONTRIBUTING.md | How to contribute, coding standards, PR process |
CODE_OF_CONDUCT.md | Expected behaviour and enforcement procedures |
CODEOWNERS | Defines ownership and required reviewers per path |
GOVERNANCE.md | Decision-making process and maintainer responsibilities |
Optional but recommended
| File | Purpose |
|---|---|
SUPPORT.md | How to get help, support channels, SLA expectations |
SECURITY.md | Vulnerability reporting process |
docs/adr/ | Architecture Decision Records for major decisions |
docs/getting-started.md | Detailed onboarding for new contributors |
Load: contribution-workflow
Contribution acceptance criteria
Before a contribution can be accepted:
- •Issue first - All non-trivial changes require a linked issue.
- •Branch naming - Follow repository conventions (e.g.,
feat/,fix/,docs/). - •PR template - Use provided template with required sections filled.
- •Code review - Minimum one approval from CODEOWNERS.
- •CI passing - All automated checks must pass.
- •Documentation - User-facing changes require docs updates.
Review turnaround expectations
- •Acknowledgement: Within 2 business days.
- •Initial review: Within 5 business days.
- •Merge decision: Within 10 business days of addressing feedback.
Document expectations in CONTRIBUTING.md or GOVERNANCE.md.
Load: ownership-model
Maintainer responsibilities
Maintainers MUST:
- •Respond to issues and PRs within documented SLA.
- •Ensure CI/CD pipeline remains healthy.
- •Review and merge contributions meeting quality bar.
- •Maintain documentation accuracy.
- •Manage releases and versioning.
- •Communicate breaking changes and deprecations.
CODEOWNERS configuration
Define ownership at appropriate granularity:
# Default owners for everything * @org/team-name # Component-specific owners /src/api/ @org/api-team /src/ui/ @org/frontend-team /docs/ @org/docs-team # Critical paths require additional review /src/security/ @org/security-team @org/team-name
Succession planning
- •Document backup maintainers for each component.
- •Define process for maintainer rotation or handoff.
- •Ensure no single point of failure for critical paths.
Load: decision-making
Transparent decision process
All significant decisions MUST be:
- •Proposed - Create RFC issue or ADR with context and options.
- •Discussed - Allow comment period (minimum 5 business days for major decisions).
- •Decided - Document rationale and decision maker.
- •Communicated - Announce in appropriate channels.
Decision categories
| Category | Decision maker | Comment period |
|---|---|---|
| Bug fixes | Any maintainer | None required |
| Minor features | Component owner | 2 business days |
| Major features | Lead maintainer(s) | 5 business days |
| Architecture changes | Maintainer consensus | 10 business days |
| Governance changes | All maintainers | 10 business days |
Conflict resolution
- •Attempt resolution through discussion on the issue/PR.
- •Escalate to lead maintainer for mediation.
- •If unresolved, escalate to organisation's technical leadership.
Load: bootstrap-checklist
Initial setup checklist
When bootstrapping InnerSource governance:
- • Create
README.mdwith project overview and quick links. - • Create
CONTRIBUTING.mdwith contribution workflow. - • Create
CODE_OF_CONDUCT.md(adopt standard like Contributor Covenant). - • Create
CODEOWNERSwith initial ownership assignments. - • Create
GOVERNANCE.mdwith decision-making process. - • Configure branch protection requiring CODEOWNERS approval.
- • Set up issue templates for bugs, features, and RFCs.
- • Set up PR template with required sections.
- • Configure CI/CD to run on all PRs.
- • Document review turnaround expectations.
- • Announce InnerSource status to potential contributors.
Ongoing maintenance
- •Review and update CODEOWNERS quarterly or when team changes.
- •Audit contribution metrics monthly.
- •Review governance effectiveness annually.
- •Update documentation when processes change.
Load: metrics-and-health
Contribution health indicators
Track these metrics to assess InnerSource health:
| Metric | Healthy threshold | Action if below |
|---|---|---|
| PR review time | < 5 business days | Add reviewers or reduce scope |
| Issue response time | < 2 business days | Improve triage process |
| External contributions | > 20% of PRs | Improve documentation and onboarding |
| Documentation freshness | < 6 months stale | Schedule documentation sprint |
Community growth indicators
- •Number of unique contributors (monthly).
- •Number of external (outside core team) contributors.
- •Issue/PR participation from non-maintainers.
- •Documentation contributions.
Agent rule: enforcement
When reviewing a repository claiming InnerSource status:
- •Verify all required documentation exists and is complete.
- •Check CODEOWNERS is configured and enforced.
- •Confirm branch protection is enabled.
- •Validate contribution workflow is documented.
- •Flag any missing or outdated governance documentation.
- •Mark repository as non-compliant if core requirements missing.
Minimal Compliance Checklist
Use this checklist for quick compliance verification:
Documentation (Required)
- •
README.mdexists and contains project overview - •
CONTRIBUTING.mdexists with PR process documented - •
CODE_OF_CONDUCT.mdexists (or org-level reference) - •
CODEOWNERSfile exists with valid team assignments - •
GOVERNANCE.mdexists with decision process
Branch Protection (Required)
- • Default branch (main/master) is protected
- • PR reviews required before merge
- • CODEOWNERS approval required
- • Status checks required to pass
- • Force push disabled on protected branches
Repository Settings (Required)
- • Issue templates configured
- • PR template configured
- • Branch naming conventions documented
Verification Commands
GitHub CLI Verification
# Check required files exist
REQUIRED_FILES="README.md CONTRIBUTING.md CODE_OF_CONDUCT.md CODEOWNERS GOVERNANCE.md"
for file in $REQUIRED_FILES; do
if [ -f "$file" ]; then
echo "✓ $file exists"
else
echo "✗ $file MISSING"
fi
done
CODEOWNERS Validation
# Verify CODEOWNERS syntax and team existence
gh api repos/{owner}/{repo}/codeowners/errors --jq '.errors[]'
# Check CODEOWNERS is being enforced
gh api repos/{owner}/{repo}/branches/main/protection \
--jq '.required_pull_request_reviews.require_code_owner_reviews'
# Expected: true
Branch Protection Verification
# Get branch protection rules
gh api repos/{owner}/{repo}/branches/main/protection --jq '{
enforce_admins: .enforce_admins.enabled,
required_reviews: .required_pull_request_reviews.required_approving_review_count,
codeowner_reviews: .required_pull_request_reviews.require_code_owner_reviews,
status_checks: .required_status_checks.strict,
force_push: .allow_force_pushes.enabled
}'
# Expected: enforce_admins=true, required_reviews>=1, codeowner_reviews=true,
# status_checks=true, force_push=false
Full Compliance Script
#!/bin/bash
# innersource-compliance-check.sh
REPO="${1:-$(gh repo view --json nameWithOwner -q .nameWithOwner)}"
ERRORS=0
echo "Checking InnerSource compliance for $REPO"
echo "==========================================="
# Check required files
echo -e "\n## Required Files"
for file in README.md CONTRIBUTING.md CODE_OF_CONDUCT.md CODEOWNERS GOVERNANCE.md; do
if gh api "repos/$REPO/contents/$file" &>/dev/null; then
echo "✓ $file"
else
echo "✗ $file MISSING"
((ERRORS++))
fi
done
# Check branch protection
echo -e "\n## Branch Protection (main)"
PROTECTION=$(gh api "repos/$REPO/branches/main/protection" 2>/dev/null)
if [ -z "$PROTECTION" ]; then
echo "✗ No branch protection configured"
((ERRORS++))
else
CODEOWNER=$(echo "$PROTECTION" | jq -r '.required_pull_request_reviews.require_code_owner_reviews // false')
REVIEWS=$(echo "$PROTECTION" | jq -r '.required_pull_request_reviews.required_approving_review_count // 0')
if [ "$CODEOWNER" = "true" ]; then
echo "✓ CODEOWNERS review required"
else
echo "✗ CODEOWNERS review NOT required"
((ERRORS++))
fi
if [ "$REVIEWS" -ge 1 ]; then
echo "✓ PR reviews required ($REVIEWS)"
else
echo "✗ PR reviews NOT required"
((ERRORS++))
fi
fi
# Summary
echo -e "\n## Summary"
if [ $ERRORS -eq 0 ]; then
echo "✓ Repository is InnerSource compliant"
exit 0
else
echo "✗ $ERRORS compliance issues found"
exit 1
fi
Usage
# Check current repository ./innersource-compliance-check.sh # Check specific repository ./innersource-compliance-check.sh org/repo-name # CI integration - name: InnerSource Compliance run: ./scripts/innersource-compliance-check.sh continue-on-error: false
Red Flags - STOP
These statements indicate InnerSource governance gaps:
| Thought | Reality |
|---|---|
| "CONTRIBUTING.md can wait" | Contributors need guidance from day one; add it early |
| "We know who owns what" | Undocumented ownership causes confusion; use CODEOWNERS |
| "Informal decisions work fine" | Transparent processes build trust; document in GOVERNANCE.md |
| "Anyone can review PRs" | Define CODEOWNERS for accountability; enforce in branch protection |
| "We'll onboard contributors later" | Early documentation attracts contributors; invest upfront |
| "Code of Conduct is optional" | Expected behaviour must be explicit; adopt a standard |