-
Notifications
You must be signed in to change notification settings - Fork 6
Repo Admin
Add and remove collaborators, configure branch protection, audit who has access to what, sync labels across repos, and manage milestones — all without leaving VS Code. Every action is previewed before execution with an explicit confirmation step.
The repo-admin agent handles the administrative layer of a GitHub repository: who can do what, what rules protect important branches, and what the repository's shared vocabulary (labels, milestones) looks like.
This is the agent for when you need to:
- Onboard a new contractor or collaborator and give them exactly the right permission level — no more, no less
- Remove someone who has left the project from all repo access
- Set up branch protection so
maincannot be force-pushed or merged without a passing CI check - Audit all current collaborators across multiple repos (often eye-opening)
- Synchronize your label taxonomy so every repo uses the same set of labels
- Create or close milestones as a release cadence changes
Every destructive or access-changing operation is previewed as a diff-style summary before the agent acts. You always have the final say.
@repo-admin add @alice to taylorarndt/a11y-agent-team as maintainer
@repo-admin audit access on all my repos
@repo-admin configure branch protection for main
@repo-admin sync labels from my template repo
/repo-admin audit access
/repo-admin add collaborator
/repo-admin branch protection setup@github-hub manage repo admin
@github-hub audit repository access
@github-hub add @alice as maintainer
Expand permission level reference
Before using this agent, understand the five GitHub permission levels:
| Level | Can push code | Can manage PRs | Can manage releases | Can manage settings | Can add admins |
|---|---|---|---|---|---|
| Read | — | — | — | — | — |
| Triage | — | ✅ label/assign | — | — | — |
| Write | ✅ | ✅ | ✅ | — | — |
| Maintain | ✅ | ✅ | ✅ | Limited | — |
| Admin | ✅ | ✅ | ✅ | ✅ full | ✅ |
Principle of least privilege: always start with the minimum level needed. Use Read for external reviewers, Triage for community moderators, Write for active contributors, Maintain for lead developers, Admin only for repo owners.
Expand language reference table
| What you say | What it does |
|---|---|
add @alice as contributor / write access
|
Grant Write permission |
add @bob as reviewer |
Grant Triage permission |
add @carol as maintainer |
Grant Maintain permission |
add @dave as admin |
Grant Admin (will require double confirmation) |
remove @alice from this repo |
Revoke all access |
audit access |
List every collaborator and their level |
audit all my repos |
Cross-repo access audit |
protect main |
Configure branch protection for main
|
require PR reviews before merge |
Adds required-reviewers rule |
require status checks |
CI gate before merge |
sync labels / copy labels from template
|
Label taxonomy sync |
create milestone v2.0 |
Create a milestone with a due date |
close milestone v1.5 |
Mark milestone closed |
-
You say:
@repo-admin add @alice to this repo as maintainer -
The agent identifies the repo (from workspace context or asks):
⚙️ Looking up @alice on GitHub… ✅ Found user: alice (Alice Johnson) ✅ Target repo: taylorarndt/a11y-agent-team -
Checks for existing access:
Current access: @alice has no access to this repo. -
Previews the change:
Proposed change: + @alice → Maintain (was: no access) This will allow @alice to push, manage PRs, releases, and limited settings. Confirm? (yes / no / change permission level) -
Sends the invitation. GitHub sends @alice an email.
-
You say:
@repo-admin audit access on all my repos -
Collects collaborators across all your repos:
⚙️ Auditing 4 repositories… ✅ Loaded collaborators for taylorarndt/a11y-agent-team (6 collaborators) ✅ Loaded collaborators for taylorarndt/my-app (3 collaborators) -
Generates an access matrix:
User a11y-agent-team my-app Notes @alice Maintain Write Active contributor @bob Read — Not in my-app @carol Admin Admin Owner on both @dave Write — Only in a11y-agent-team -
Flags anomalies:
⚠️ @dave has Write access toa11y-agent-teambut is not in your team roster (preferences.md). Was this intentional?
-
You say:
@repo-admin protect the main branch — require 2 PR reviews and CI to pass -
Shows current state:
Current branch protection for main: none -
Previews the ruleset:
Proposed branch protection rules for main: + Require pull request before merging: YES + Required approvals: 2 + Dismiss stale reviews on new commits: YES + Require status checks to pass: YES + Require branches to be up to date before merging: YES + Restrict who can push directly: (none — open to anyone with Write+) + Enforce above rules for administrators: NO (recommended: YES — add if you want) Confirm? (yes / no / adjust)
Show example prompts
@repo-admin add @alice to this repo with write access
@repo-admin add @bob as a read-only reviewer
@repo-admin remove @dave from this repo
@repo-admin list all collaborators and their permission levels
@repo-admin audit access across all my repos — flag anything unusual
@repo-admin protect main — require at least 1 PR review before merge
@repo-admin require CI to pass before any merge to main
@repo-admin block direct pushes to main for everyone including admins
@repo-admin show me the current branch protection rules
@repo-admin sync labels from taylorarndt/label-template to all my repos
@repo-admin add label "a11y" with color #0e9f6e to this repo
@repo-admin delete the "wip" label from all repos
@repo-admin show me which labels are missing from my-app compared to a11y-agent-team
@repo-admin create milestone v2.0 due December 31
@repo-admin list open milestones
@repo-admin close milestone v1.5
Expand output file details
| File | Location | Contents |
|---|---|---|
REPO-ACCESS-AUDIT-{date}.md |
workspace root | Full collaborator matrix |
REPO-ACCESS-AUDIT-{date}.html |
workspace root | Accessible HTML version |
Expand agent connections
| Handoff | When | Agent |
|---|---|---|
| Manage org teams | After granting repo access, assign to a team | team-manager |
| Add to daily briefing | Include access changes in morning digest | daily-briefing |
Expand constraints
- Every access change is previewed before execution — never acts silently on access or settings
- Adding
Adminpermission requires a second explicit confirmation ("are you sure you want to grant full admin access?") - Removing yourself from a repo is blocked — preventing accidental lockout
- Label sync is always shown as a diff before applying
- The agent never removes protection rules without showing what impact that has ("removing CI requirement means anyone can merge without a green build")
Show troubleshooting help
"It says I don't have permission to set branch protection." Branch protection requires Admin access on the repo. Confirm you are an admin there. If the repo belongs to an org, you may need organization admin access for some settings.
"The invitation was sent but @alice says they never got an email." Check the email address associated with their GitHub account. If the invite is pending, you can re-send: "show pending invitations for a11y-agent-team."
"Label sync deleted labels I wanted to keep." Label sync is additive by default — it adds missing labels but does not delete. To delete, you must explicitly ask: "remove all labels not in the template."
- Accessibility Lead
- Web Accessibility Wizard
- Document Accessibility Wizard
- Alt Text and Headings
- ARIA Specialist
- Contrast Master
- Forms Specialist
- Keyboard Navigator
- Link Checker
- Live Region Controller
- Modal Specialist
- Tables Data Specialist
- Word Accessibility
- Excel Accessibility
- PowerPoint Accessibility
- PDF Accessibility
- Office Scan Config
- PDF Scan Config
- Testing Coach
- WCAG Guide