GitHub account - sharing username across companies & roles?

TL;DR Do y’all mix personal & professional work (in particular, work for multiple companies) on single GitHub accounts?

I have had a personal GitHub account for several years due to FIRST stuff, and will occasionally put personal projects onto it. I have a personal email attached to it.

Recently, I was invited to join my company’s GitHub Organization. I made a separate account with my work email address and plan to use it for accessing work content. It’s not clear that I needed to make a company account, and GitHub is structured so that I probably could have continued to use my personal account to access new work organization content.

If I did… Would work projects start showing up on my personal profile page in some way? Seems like a massive privacy/trade-secrets vulnerability??

What’s typical “netiquette” here? What have y’all done?

Anyone using one github account to rule them all: do you also share hardware between work/play/home projects, or “bring your own device” to work?
I do some of my FIRST volunteering on the company laptop, but I have other projects I keep exclusively on personal equipment for Reasons. My company only does BYOD phones.

Pivoting the question a little - has anyone actually recruited through GitHub personal profile pages & shared or public projects?
I can see GitHub trying to make recruiting a Thing for revenue, but is that actually something users do or experience?
Looking good for Recruiting seems like a strong incentive to use a single account across companies, regardless of the implicit IP danger, in order to keep an active/complete profile…

If they’re not private repos, yes they would. You would also appear as a member of their organization. You’ll pretty much need to use a separate account if your goal is to prevent any public association. If you’re okay with public association, GitHub will keep private repos private.

I do not. I’m careful to keep the two completely separate, particularly regarding non-company work on a company-owned device. It’s much easier for a company to claim ownership of your personal projects if you use their equipment to develop it. I’m not a fan of BYOD (and fortunately currently don’t have to do it myself) but that’s somewhat less problematic because at least you own the hardware–the risk is more on the company side of how they scrub their data off your device.

Thank you, that’s super helpful.

Ooh, “if you’re okay with public association” is what I’m curious about at community demographic level

Do you publicly associate your personal GitHub profile to your employer Organization?
  • I publicly associate my GitHub profile to my employer(s) organization
  • I do not publicly associate my GitHub profile to my employer(s) organization
  • What’s Github?

0 voters

I’ve been using my personal GitHub account for about the last year at Microsoft, but its possible I soon will need to change that because of unrelated reasons. Since I work on mostly opens source stuff on GitHub anyway, having the same account doesn’t end up being a problem for me usually.

For Hardware, I started after the pandemic, so I was basically forced to use my own hardware. However, I decided to dual boot on separate hard drives. Because of bitlocker, when I’m on the personal side, I can’t access the data on the work drive. And I basically came to the conclusion Microsoft owns the work drive, and if I ever leave I’ll just physically destroy it. From the work drive, I never access anything personal, which lets me keep it separate.

I created a separate GitHub account for work on my first day, but only because of concerns about how our CI system would handle my GitHub identity, rather than any personal reason. Both my work and I would’ve been happy to use an existing GitHub account otherwise.

On an entirely unrelated note, if anyone at GitHub could add being able to turn off email privacy per organisation, I’m pretty sure a significant number of people would send love.

Target has an internal GitHub Enterprise instance which is where all the not-public stuff goes. It also has a public GitHub org for open source.

For the public GitHub org I use my personal GitHub account- I don’t do a ton there anyway and there was no reason for me to create a separate account for it.

We don’t have BYOD, and personal projects stay on my personal computer.

Just as an anecdote, we were recently notified that the organization that runs our company’s donation-matching program had a data breach because one of that organization’s employees accidentally uploaded files with our information to their personal (and publicly accessible) GitHub repository instead of the organization’s restricted repository. I don’t know much more about it than that, so I can’t say whether it was caused by using a personal account to access work content, or whether it was related to some flaw in how GitHub manages things vs an employee just doing something dumb. But it seems like keeping work and personal accounts as separate as possible could only help, when it comes to avoiding breaches like that.

1 Like

My company uses GHE internally, but also has a public presence for open source. I use the same account for everything on the public side.

1 Like

Not exactly a solution, but you can always configure your different git repos to use a different email address. It doesn’t prevent you from exposing a personal email, but it can be used as a work around if you want different emails in your commits for different projects.

I think there’s a bit of nuance here that’s being missed. Just having separate accounts isn’t sufficient for preventing accidental pushes if you’re using the same credentials (public key) for both accounts. If you’re concerned about accidental pushes, you’d need separate accounts with separate credentials installed on separate computers.

1 Like

I had a small company offer me an interview out of the blue after looking at my GitHub profile. I wasn’t looking for work at the time so I declined and didn’t ask any more questions. Not sure exactly what they saw on my profile that got them interested, most of the stuff on there is random Python projects and half-baked HTML pages. But apparently there are people who do recruiting over GitHub.

1 Like

Unfortunately that’s not even close to a solution - I need control over the committer identity for commits generated via the GitHub web flow, and the noreply email web-flow option seems to be all or nothing.

1 Like

I do not know how we accomplished it, and it could be annoying on a personal device, but on one of our team computers, git is set in such a way that it asks you to log in (with a web auth popup) for each push. I kind of love this.

This isn’t the GitHub web flow (e.g. merging a pull request on GitHub.com via the web UI).

That just sounds like regular git authentication, which doesn’t concern itself with git committer identities.

Oh, I see. I had assumed it did both when you switched. :slight_smile:

Well, since we’re on the topic of changing committer identities…

1 Like

That is incredible. You (and they jest), but there are times when one of our members leaves after making a lot of progress, but before committing. So… Potential actual use case (though I am not usually one for reinforcing bad habits)?

This is one reason why everyone should sign their commits.

5 Likes

When our company switched from internal Git to using GitHub, I choose to create a separate identity/account. The big factor for me was that if I used my personal account, I would forever be associated with my current company. And you never ever know if in the future if that will be problematic (for any number of reasons). And, in general, I prefer to keep my work and personal lives separate.

The one thing I really wish Git had was the ability, in the .gitconfg file, to associate credentials by remote URL (like Mercurial does). (I haven’t looked again in the past year or so, and so maybe they have added this.) As an alternative, on any shared PC, I put all clones in either a companyName, personal or frc sub-directory, and then use a series of [includeIf] directives in my .gitconfig to load alternate configs that have the appropriate username and email address. For example:

[includeIf "gitdir/i:companyName/"]
    path = ~/.gitconfig-work

It works ok. But I have to be careful I always clone in the correct sub-directory.

1 Like

The key word in your statement is everyone. As such, a repo should ideally be configured to only accept signed commits.

1 Like