feat(github): add collaborator permissions extraction

ravisuhag · ravisuhag · commit f548b1967c9f · 2026-04-18T14:25:07.000-05:00
Extract repository collaborators with has_access_to edges that include
the permission level (admin, maintain, push, triage, pull). This surfaces
who has access to what repositories in the metadata graph.
diff --git a/plugins/extractors/github/README.md b/plugins/extractors/github/README.md
@@ -29,7 +29,7 @@ source:
 | :-- | :--- | :------- | :---------- |
 | `org` | `string` | Yes | Name of the GitHub organisation. |
 | `token` | `string` | Yes | GitHub API access token. |
-| `extract` | `[]string` | No | Entity types to extract. Defaults to all: `users`, `repositories`, `teams`, `documents`. |
+| `extract` | `[]string` | No | Entity types to extract. Defaults to all: `users`, `repositories`, `teams`, `documents`, `collaborators`. |
 | `docs.repos` | `[]string` | No | Repositories to scan for documents. Defaults to all org repos. |
 | `docs.paths` | `[]string` | No | Directory paths to scan within each repo. Defaults to `["docs"]`. |
 | `docs.pattern` | `string` | No | Glob pattern to match files. Defaults to `"*.md"`. |
@@ -100,6 +100,11 @@ The extractor emits four entity types and their relationships as edges.
 | `owned_by`   | `repository` | `user`       | Repository is owned by a user          |
 | `member_of`  | `user`       | `team`       | User is a member of a team             |
 | `belongs_to` | `document`   | `repository` | Document belongs to a repository       |
+| `has_access_to` | `user`    | `repository` | User has access to a repository (properties: `permission`) |
+
+### Collaborator Permissions
+
+When `collaborators` is included in `extract`, the extractor lists collaborators for each repository and emits `has_access_to` edges with a `permission` property indicating the highest access level: `admin`, `maintain`, `push`, `triage`, or `pull`.
 
 ## Contributing
 
diff --git a/plugins/extractors/github/github.go b/plugins/extractors/github/github.go
@@ -14,6 +14,7 @@ import (
 	"github.com/raystack/meteor/registry"
 	log "github.com/raystack/salt/observability/logger"
 	"golang.org/x/oauth2"
+	"google.golang.org/protobuf/types/known/structpb"
 )
 
 //go:embed README.md
@@ -36,12 +37,13 @@ var sampleConfig = `
 org: raystack
 token: github_token
 # extract specifies which entity types to extract.
-# Defaults to all: ["users", "repositories", "teams"]
+# Defaults to all: ["users", "repositories", "teams", "documents", "collaborators"]
 extract:
   - users
   - repositories
   - teams
   - documents
+  - collaborators
 # docs configures document extraction (only used when "documents" is in extract).
 docs:
   # repos limits which repositories to scan. If empty, scans all org repos.
@@ -53,7 +55,7 @@ docs:
   pattern: "*.md"`
 
 var info = plugins.Info{
-	Description:  "Extract metadata from a GitHub organisation including users, repositories, teams, and documents.",
+	Description:  "Extract metadata from a GitHub organisation including users, repositories, teams, documents, and collaborator permissions.",
 	SampleConfig: sampleConfig,
 	Summary:      summary,
 	Tags:         []string{"platform", "extractor"},
@@ -83,10 +85,11 @@ func (e *Extractor) Init(ctx context.Context, config plugins.Config) error {
 	e.client = gh.NewClient(tc)
 
 	e.extract = map[string]bool{
-		"users":        true,
-		"repositories": true,
-		"teams":        true,
-		"documents":    true,
+		"users":         true,
+		"repositories":  true,
+		"teams":         true,
+		"documents":     true,
+		"collaborators": true,
 	}
 	if len(e.config.Extract) > 0 {
 		e.extract = make(map[string]bool, len(e.config.Extract))
@@ -124,6 +127,11 @@ func (e *Extractor) Extract(ctx context.Context, emit plugins.Emit) error {
 			return fmt.Errorf("extract documents: %w", err)
 		}
 	}
+	if e.extract["collaborators"] {
+		if err := e.extractCollaborators(ctx, emit); err != nil {
+			return fmt.Errorf("extract collaborators: %w", err)
+		}
+	}
 	return nil
 }
 
@@ -428,6 +436,81 @@ func (e *Extractor) emitDocument(ctx context.Context, emit plugins.Emit, repo *g
 	return nil
 }
 
+func (e *Extractor) extractCollaborators(ctx context.Context, emit plugins.Emit) error {
+	repoOpts := &gh.RepositoryListByOrgOptions{
+		ListOptions: gh.ListOptions{PerPage: 100},
+	}
+	for {
+		repos, resp, err := e.client.Repositories.ListByOrg(ctx, e.config.Org, repoOpts)
+		if err != nil {
+			return fmt.Errorf("list repositories: %w", err)
+		}
+
+		for _, repo := range repos {
+			if err := e.extractRepoCollaborators(ctx, emit, repo); err != nil {
+				e.logger.Warn("failed to extract collaborators, skipping",
+					"repo", repo.GetFullName(), "error", err)
+			}
+		}
+
+		if resp.NextPage == 0 {
+			break
+		}
+		repoOpts.Page = resp.NextPage
+	}
+	return nil
+}
+
+func (e *Extractor) extractRepoCollaborators(ctx context.Context, emit plugins.Emit, repo *gh.Repository) error {
+	repoURN := models.NewURN("github", e.UrnScope, "repository", repo.GetNodeID())
+	opts := &gh.ListCollaboratorsOptions{
+		ListOptions: gh.ListOptions{PerPage: 100},
+	}
+
+	var edges []*meteorv1beta1.Edge
+	for {
+		collaborators, resp, err := e.client.Repositories.ListCollaborators(ctx, e.config.Org, repo.GetName(), opts)
+		if err != nil {
+			return fmt.Errorf("list collaborators for %s: %w", repo.GetName(), err)
+		}
+
+		for _, collab := range collaborators {
+			userURN := models.NewURN("github", e.UrnScope, "user", collab.GetNodeID())
+			props, _ := structpb.NewStruct(map[string]any{
+				"permission": resolvePermission(collab.GetPermissions()),
+			})
+			edges = append(edges, &meteorv1beta1.Edge{
+				SourceUrn:  userURN,
+				TargetUrn:  repoURN,
+				Type:       "has_access_to",
+				Source:     "github",
+				Properties: props,
+			})
+		}
+
+		if resp.NextPage == 0 {
+			break
+		}
+		opts.Page = resp.NextPage
+	}
+
+	if len(edges) > 0 {
+		entity := models.NewEntity(repoURN, "repository", repo.GetName(), "github", nil)
+		emit(models.NewRecord(entity, edges...))
+	}
+	return nil
+}
+
+// resolvePermission returns the highest permission level from the permissions map.
+func resolvePermission(perms map[string]bool) string {
+	for _, level := range []string{"admin", "maintain", "push", "triage", "pull"} {
+		if perms[level] {
+			return level
+		}
+	}
+	return "pull"
+}
+
 func init() {
 	if err := registry.Extractors.Register("github", func() plugins.Extractor {
 		return New(plugins.GetLog())
diff --git a/plugins/extractors/github/github_test.go b/plugins/extractors/github/github_test.go
@@ -13,6 +13,7 @@ import (
 
 	gh "github.com/google/go-github/v68/github"
 	"github.com/raystack/meteor/models"
+	meteorv1beta1 "github.com/raystack/meteor/models/raystack/meteor/v1beta1"
 	"github.com/raystack/meteor/plugins"
 	extractor "github.com/raystack/meteor/plugins/extractors/github"
 	"github.com/raystack/meteor/test/mocks"
@@ -487,6 +488,76 @@ func TestExtract(t *testing.T) {
 		assert.Contains(t, err.Error(), "extract users")
 	})
 
+	t.Run("should extract collaborators with has_access_to edges", func(t *testing.T) {
+		server := setupServer(t, serverConfig{
+			repos: []*gh.Repository{
+				{
+					NodeID:   strPtr("R_repo1"),
+					Name:     strPtr("meteor"),
+					FullName: strPtr("my-org/meteor"),
+				},
+			},
+			repoCollaborators: map[string][]*gh.User{
+				"meteor": {
+					{NodeID: strPtr("U_alice"), Login: strPtr("alice"), Permissions: map[string]bool{"admin": true, "push": true, "pull": true}},
+					{NodeID: strPtr("U_bob"), Login: strPtr("bob"), Permissions: map[string]bool{"push": true, "pull": true}},
+				},
+			},
+		})
+		defer server.Close()
+
+		extr := initExtractor(t, server.URL, map[string]any{
+			"extract": []string{"collaborators"},
+		})
+
+		emitter := mocks.NewEmitter()
+		err := extr.Extract(context.Background(), emitter.Push)
+		require.NoError(t, err)
+
+		records := emitter.Get()
+		require.Len(t, records, 1)
+
+		entity := records[0].Entity()
+		assert.Equal(t, models.NewURN("github", urnScope, "repository", "R_repo1"), entity.GetUrn())
+		assert.Equal(t, "repository", entity.GetType())
+
+		edges := records[0].Edges()
+		require.Len(t, edges, 2)
+
+		for _, edge := range edges {
+			assert.Equal(t, "has_access_to", edge.GetType())
+			assert.Equal(t, models.NewURN("github", urnScope, "repository", "R_repo1"), edge.GetTargetUrn())
+		}
+
+		// Check permission levels via edge properties.
+		aliceEdge := findEdgeBySource(edges, models.NewURN("github", urnScope, "user", "U_alice"))
+		require.NotNil(t, aliceEdge)
+		assert.Equal(t, "admin", aliceEdge.GetProperties().AsMap()["permission"])
+
+		bobEdge := findEdgeBySource(edges, models.NewURN("github", urnScope, "user", "U_bob"))
+		require.NotNil(t, bobEdge)
+		assert.Equal(t, "push", bobEdge.GetProperties().AsMap()["permission"])
+	})
+
+	t.Run("should skip collaborators for repos that fail", func(t *testing.T) {
+		server := setupServer(t, serverConfig{
+			repos: []*gh.Repository{
+				{NodeID: strPtr("R_repo1"), Name: strPtr("meteor"), FullName: strPtr("my-org/meteor")},
+			},
+			// No repoCollaborators entry → will 404
+		})
+		defer server.Close()
+
+		extr := initExtractor(t, server.URL, map[string]any{
+			"extract": []string{"collaborators"},
+		})
+
+		emitter := mocks.NewEmitter()
+		err := extr.Extract(context.Background(), emitter.Push)
+		require.NoError(t, err)
+		assert.Empty(t, emitter.Get())
+	})
+
 	t.Run("should extract repos without owner edge when owner is nil", func(t *testing.T) {
 		server := setupServer(t, serverConfig{
 			repos: []*gh.Repository{
@@ -537,12 +608,13 @@ func initExtractor(t *testing.T, serverURL string, extraConfig map[string]any) *
 }
 
 type serverConfig struct {
-	members      []*gh.User
-	userDetails  map[string]*gh.User
-	repos        []*gh.Repository
-	teams        []*gh.Team
-	teamMembers  map[string][]*gh.User
-	repoContents map[string]map[string]any // key: "repo/path" -> {"type":"dir","entries":[]} or {"type":"file","file":*RepositoryContent}
+	members           []*gh.User
+	userDetails       map[string]*gh.User
+	repos             []*gh.Repository
+	teams             []*gh.Team
+	teamMembers       map[string][]*gh.User
+	repoContents      map[string]map[string]any // key: "repo/path" -> {"type":"dir","entries":[]} or {"type":"file","file":*RepositoryContent}
+	repoCollaborators map[string][]*gh.User      // key: repo name -> collaborators
 }
 
 func setupServer(t *testing.T, cfg serverConfig) *httptest.Server {
@@ -580,7 +652,7 @@ func setupServer(t *testing.T, cfg serverConfig) *httptest.Server {
 			writeJSON(w, []*gh.User{})
 		}
 	})
-	// Individual repo endpoint for docs.repos config.
+	// Individual repo endpoint for docs.repos config, contents, and collaborators.
 	mux.HandleFunc("/api/v3/repos/my-org/", func(w http.ResponseWriter, r *http.Request) {
 		urlPath := r.URL.Path
 		const prefix = "/api/v3/repos/my-org/"
@@ -603,6 +675,17 @@ func setupServer(t *testing.T, cfg serverConfig) *httptest.Server {
 			return
 		}
 
+		// Check if this is a collaborators request: "{repo}/collaborators"
+		if strings.HasSuffix(rest, "/collaborators") {
+			repoName := rest[:len(rest)-len("/collaborators")]
+			if collabs, ok := cfg.repoCollaborators[repoName]; ok {
+				writeJSON(w, collabs)
+			} else {
+				w.WriteHeader(http.StatusNotFound)
+			}
+			return
+		}
+
 		// Otherwise it's a repo get: "{repo}"
 		repoName := rest
 		for _, repo := range cfg.repos {
@@ -668,3 +751,12 @@ func intPtr(i int) *int       { return &i }
 
 func indexOf(s, substr string) int { return strings.Index(s, substr) }
 
+func findEdgeBySource(edges []*meteorv1beta1.Edge, sourceURN string) *meteorv1beta1.Edge {
+	for _, e := range edges {
+		if e.GetSourceUrn() == sourceURN {
+			return e
+		}
+	}
+	return nil
+}
+
