Skip to content

Instantly share code, notes, and snippets.

@andyfeller
Last active June 1, 2023 14:39
Show Gist options
  • Save andyfeller/7cdd7aa4abf716b2b460e2038005e60e to your computer and use it in GitHub Desktop.
Save andyfeller/7cdd7aa4abf716b2b460e2038005e60e to your computer and use it in GitHub Desktop.
Comparison of GHES, GHEC, GHEC EMU
Distribution \\ Comparison Benefits Costs
GHES
  • GitHub Enterprise Support
  • Authentication with SAML single sign-on
  • Access provisioning with SAML
  • Enterprise Account level audit logs and configurable controls
  • GitHub Connect
  • The ability to enable:
    • Actions (self-hosted Actions runners)
    • GH Advanced Security (GHAS)
  • New features in minor releases every 3-4 months
  • Security updates in patch releases every 2-4 weeks
  • GHEC features delayed 1-2 minor releases at minimum
  • Must provide and maintain necessary infrastructure
  • Must ensure uptime and reliability of deployment
  • Must perform necessary capacity planning for growth
  • Must account for network and firewall rules according to business security posture
  • Optional additional costs with non-production deployment
GHEC

Everything listed above ☝ including:

  • Additional Actions-specific capabilities:
    • GitHub-hosted Actions Runners
      (available SaaS Actions Runners so you do not need to maintain infrastructure)
    • The GitHub Marketplace allowing you to extend with both Actions and Apps
  • Available GitHub Packages storage on cloud with improved container support
  • Codespaces – virtualized developer environments
  • Additional Advanced Security specific components:
    • Dependency review and enforcement - Review and manage dependencies at time of Pull Request
    • Dependebot automated security and version updates
    • Experience improvements for Org-level dashboards as well as Secret Scanning
  • Access to features and early access feature previews:
    • Organizational insights
    • Action usage metrics
    • Issues and Projects beta
    • GitHub Actions workflow visualization graph
    • GitHub Actions workflow required reviewers
    • GitHub Actions deployments
    • Open ID Connect support
    • IP allow list (policy engine)
    • Video upload support in issues, PRs, discussions
    • Security advisory support for public repositories
    • Enhanced audit log events
  • The option to centrally manage policy and billing for multiple GitHub.com organizations and server with a single enterprise account
  • Uptime SLA and corporate terms of service
  • 50K GitHub Actions build minutes/month including free minutes for public repositories
  • 50GB GitHub Packages and Actions storage including free storage for public repositories
  • Optional premium support
  • Reduced operational and administrative overhead around infrastructure management and security update
  • Must account for network and firewall rules according to business security posture
GHEC EMU

Everything listed above ☝ including EMU specific abilities and restrictions:

  • Identity provider managed user account provisioning
  • Managed user accounts cannot be invited to organizations or repositories outside of the enterprise, nor can the managed user accounts be invited to other enterprises
  • Managed user accounts and the content they create is only visible to other members of the enterprise
  • Other GitHub users cannot see, mention, or invite a managed user account to collaborate
  • Managed user accounts can view all public repositories on GitHub.com, but cannot interact with repositories outside of the enterprise in any of the following ways:
  • Push code to the repository
  • Create issues or pull requests within the repository
  • Create or comment on discussions within the repository
  • Comment on issues or pull requests, or add reactions to comments
  • Star, watch, or fork the repository
  • Managed user accounts cannot create gists or comment on gists
  • Managed user accounts cannot follow users outside of the enterprise
  • Managed user accounts cannot create starter workflows for GitHub Actions
  • Managed user accounts cannot install GitHub Apps on their user accounts
  • You can choose whether managed user accounts are able to create repositories owned by their user accounts
  • If you allow managed user accounts to create repositories owned by their user accounts, they can only own private repositories and can only invite other enterprise members to collaborate on their user-owned repositories
  • Managed user accounts cannot fork repositories from outside of the enterprise. Managed user accounts can fork private or internal repositories owned by organizations in the enterprise into their user account namespace or other organizations owned by the enterprise, as specified by enterprise policy
  • Only private and internal repositories can be created in organizations owned by an enterprise with managed users, depending on organization and enterprise repository visibility settings
  • Outside collaborators are not supported by Enterprise Managed Users
  • Managed user accounts are limited in their use of GitHub Pages
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment