Skip to main content
Warning

Migrations are coming to VA GitHub. See the Migrations section for more information.

GitHub Migrations

Information on migrating VA GitHub resources to GHEC-US

In July 2025 the VA will begin an effort to migrate most of its GitHub infrastructure to a single cloud enterprise in a new US instance of GitHub’s Enterprise Cloud with data residency product (GHEC-US), at https://va.ghe.com. This environment will eventually be a fully authorized FedRAMP moderate environment, in the meantime the VA has issued an interim VA Moderate ATO for GHEC-US so that it can be used before full FedRAMP moderate authorization.

These migrations and the effort to consolidate into a single environment are primarily motivated by a VA compliance and security decision that determined that VA needs a FedRAMP Moderate environment for its DevOps platform, and the current GitHub.com cloud enterprise is not sufficient and could not be made suitable for FedRAMP Moderate.

The GitHub team is delivering a set of migration tools that VA engineering teams can use to migrate their own repositories, on a schedule determined by VA engineering leadership. These migration tools are available to beta testers now, with production migrations officially starting in July. Official announcements will be forthcoming on when individual projects can expect to migrate. We do not yet have information on these timelines, as they are still being worked out.

The GitHub team will migrate archived repositories for the VA, but for active repositories the migration responsibility will lie with the owners of those repositories. This is primarily because GitHub’s migration product does not support migrating all aspects of a repository therefore VA teams will need to develop a plan for rebuilding missing pieces and accounting for potential downtime after migrations while workflows and processes are re-established.

VA’s migrations will begin with the VA GHEC-EMU enterprise. The GHEC enterprise and the VA’s on-premise GitHub Enterprise Server (GHES) at github.ec.va.gov will also migrate to GHEC-US, but those migrations will begin after GHEC-EMU migrations are running smoothly and more specific guidance on those migrations will be provided as their time comes. For now this content is mainly for cloud migrations only (GHEC and GHEC-EMU). See GHEC-EMU migrations for information specific to GHEC-EMU migrations.

See the FAQ for answers to common questions and About GHEC-US for more information on GHEC-US, including getting access to GHEC-US.

Support

The GitHub team is available to provide support and consultation, both pre- and post-migration. The best way to request support is by creating a support request issue, either in your source enterprise (GHEC, GHEC-EMU) or in GHEC-US. You can also find us in the VA OIT DevOps Slack workspace.

The GHEC-US handbook is available for GHEC-US users. Note that the GHEC-US handbook will not be publicly available, users will need to authenticate into GHEC-US, as described below, to view the handbook.

Access Control

GHEC-US will be integrated with VA’s Entra ID using the same configuration used for the VA’s current GHEC-EMU enterprise. You will no longer use your personal github.com user accounts, GHEC-US accounts will be provisioned and owned by VA. Users will gain permissions to access GHEC-US through the GitHub Entra ID application. Most current VA GitHub users will be bulk onboarded to GHEC-US by the GitHub team so you will not need to do anything to gain access to GHEC-US. New users will utilize an Entra ID self-serve workflow where users can request access to the GitHub app and be granted access automatically. Specifics of the self-serve access workflow will be documented in a VA intranet site which we are still working on with VA leadership.

GitHub teams can also be based on Entra ID groups, such that membership in the team is determined by membership in the Entra ID group. This will be optional, VA teams can also create GitHub teams independent of Entra ID, as you do today in GHEC. Users, teams, and repository access permissions will need to be re-established in GHEC-US.

Logging into GHEC-US through Entra ID will require users to PIV login with their va.gov account and PIV card, so users will need a PIV reader if they do not already have one.

VA Entra ID access is currently limited to VA managed devices: GFE, AVD, or CAG. However we have already received an exemption for this access policy for GHEC-US and are in the process of implementing the exemption in VA Entra ID. When the exemption is complete, users will be able to log into GHEC-US from their personal or corporate systems using their PIV and va.gov credentials.

No Public Repositories

GHEC-US will not allow public repositories. The GitHub team is still working with VA leadership to determine a path for the public repositories in VA GHEC. The most likely outcome will be that public repositories are migrated to GHEC-US (and therefore become private/internal), but the content of those repositories will be mirrored to the VA GHEC organization to make a static, read-only copy of the repository content available to the public.

No Outside Collaborators

GHEC-US will not allow outside collaborators, which are users that are not organization members, but have been granted explicit access to some repositories in the organization. GHEC-US will require that all users with access to the system be onboarded to VA, have a va.gov account, and be granted access to GitHub in the VA’s Entra ID. The current VA GHEC organization has around 150 outside collaborators, however our analysis indicates that many of these outside collaborators are in fact VA contractors or other personnel that should be properly onboarded to VA. If you believe that your repositories are being accessed by outside collaborators that are not candidates for full VA onboarding then reach out to the GitHub team to let us know.

Migration Guidance

See the other pages in this section for more detailed information on planning and performing your migrations:

Changelog

Changelog for all migrations related documentation pages.

July 3 2025

Major updates to bring the documentation in line with the current situation, including that VA is targeting GHEC-EMU for the first migrations.

  • Index page updates:
    • Migrations will start with GHEC-EMU in mid July 2025
    • Provide GHEC-US URLs including support repository and support request creation links
    • Provide VA justification for migrations
    • Clarify that logging into GHEC-US will require a va.gov account and PIV card (and PIV reader)
    • Update current plan for migrating GHEC public repositories
  • Migration limitations page updates:
    • Update status of custom migration extensions and support for various resource types that GEI does not migrate
  • GHEC-US limitations page updates:
    • Indicate that GitHub is working with VA to install mission critical third party Apps (Slack and Jira) into GHEC-US
    • Clarify requirements around installing other third party Apps or apps that send data to external services
    • Indicate that Codespaces is planned for GHEC-US
    • Indicate that macOS runners are planned for GHEC-US
    • Remove mention of Copilot Extensions since it is deprecated
  • Process page updates:
    • Provide link to GHEC-US migration-actions repository where migrations will be performed
    • Clarify that mannequin reattribution will occur on a schedule and not with each repository migration, and that the mannequin workflow will reattribute mannequins from all source enterprises
    • Clarify user access requirements for migrating repository
  • Planning page updates:
    • Add detail to VA organizational metadata requirements
    • Add link to GHE.com Network Details documentation
    • Add requirements for teams taking over the Jenkins Shared Library for running CodeQL in Jenkins
    • Add links to GHEC-US support repository
    • Add more information to planning for migrating GitHub Apps
    • Add more information on migrating Packages
    • Update information on macOS runner availability
    • Update information on organization level self-hosted runners
    • Remove notes on repository custom properties and LFS objects since these are now supported in the migration workflows
  • Added migrations FAQ page
  • Added GHEC-EMU migrations page

July 7 2025