@@ -18,35 +18,48 @@ apply once after `init.sh`. each section says where to click.
1818| pull requests: automatically delete head branch | on |
1919| archives: include git lfs objects | off |
2020
21- ## settings -> branches
21+ ## settings -> rules -> rulesets
2222
23- apply branch protection on ` main ` . see [ branch-protection.md] ( ./branch-protection.md )
24- for the full setting list and a ` gh api ` one-liner.
23+ apply two rulesets: one for the default branch, one for release tags.
24+ see [ branch-protection.md] ( ./branch-protection.md ) for the exact settings
25+ and the ` gh api ` calls. classic `Settings → Branches → Branch protection
26+ rules` still works but rulesets are the supported path going forward and
27+ are required for tag protection.
2528
2629## settings -> code security
2730
28- | setting | value |
29- | ------------------------------- | ----------------------------------------- |
30- | dependabot alerts | on |
31- | dependabot security updates | on |
32- | dependabot version updates | on (auto, reads ` .github/dependabot.yml ` ) |
33- | secret scanning | on |
34- | secret scanning push protection | on |
35- | code scanning (codeql) | on |
36- | private vulnerability reporting | on |
31+ since 2024 this page is a list of cards rather than a single toggle column.
32+ turn each card on:
3733
38- ` SECURITY.md ` already wires private vulnerability reporting; flipping the toggle
39- exposes the form to reporters.
34+ | card | action |
35+ | ------------------------------------------ | ---------------------------------------- |
36+ | dependabot alerts | enable |
37+ | dependabot security updates | enable |
38+ | dependabot version updates | already configured via ` .github/dependabot.yml ` |
39+ | secret scanning | enable |
40+ | secret scanning push protection | enable |
41+ | code scanning (codeql) | "set up" -> default |
42+ | private vulnerability reporting | enable |
43+
44+ ` code scanning -> default setup ` is now one click and covers every
45+ language github detects. choose default unless you have a reason to
46+ write your own ` codeql.yml ` .
47+
48+ ` SECURITY.md ` already wires private vulnerability reporting; flipping
49+ the toggle exposes the form to reporters.
4050
4151## settings -> actions -> general
4252
43- | setting | value |
44- | ------------------------------------------------ | ---------------------------------------------------------------------------------- |
45- | actions permissions | ` allow <your-org>, and select non-<your-org> actions and reusable workflows ` |
46- | allowed actions | enumerate by full name and sha (see below) |
47- | fork pull request workflows from outside collabs | "require approval for first-time contributors who are new to github" (or stricter) |
48- | workflow permissions | "read repository contents and packages permissions" (default to read) |
49- | allow github actions to create / approve prs | off |
53+ | setting | value |
54+ | -------------------------------------------------- | ---------------------------------------------------------------------------------- |
55+ | actions permissions | "allow ` <your-org> ` actions and reusable workflows, and select non-` <your-org> ` actions and reusable workflows" |
56+ | allowed actions | enumerate by full name (see below) |
57+ | approval for fork pull request workflows | "require approval for first-time contributors" (or stricter) |
58+ | run workflows from fork pull requests | leave default; rely on the approval gate above |
59+ | send write tokens to fork pull request workflows | off |
60+ | send secrets and variables to fork pull request workflows | off |
61+ | workflow permissions | "read repository contents and packages permissions" |
62+ | allow github actions to create or approve pull requests | off |
5063
5164allowed actions list (paste, after ` init.sh ` pins them):
5265
@@ -63,27 +76,31 @@ actions/upload-artifact@*
6376actions/download-artifact@*
6477```
6578
66- ` * ` is github's allowed-actions wildcard, not a sha. the sha is enforced by
67- ` scripts/check-pins.sh ` in ci.
79+ ` * ` is github's allowed-actions wildcard, not a sha. the sha is enforced
80+ by ` scripts/check-pins.sh ` in ci.
6881
6982## settings -> environments -> release
7083
7184create the ` release ` environment used by ` release.yml ` . set:
7285
73- | setting | value |
74- | ---------------------------- | -------------------------------- |
75- | required reviewers | at least 1 maintainer |
76- | wait timer | 5 minutes (rollback window) |
77- | deployment branches and tags | protected branches and tags only |
78- | environment secrets | none (oidc replaces tokens) |
79- | environment variables | none unless required |
86+ | setting | value |
87+ | ----------------------------- | --------------------------------------------- |
88+ | required reviewers | at least 1 maintainer |
89+ | wait timer | 5 minutes (rollback window) |
90+ | prevent self-review | off for solo maintainer, on if more than one |
91+ | deployment branches and tags | "selected branches and tags" -> add ` v* ` |
92+ | environment secrets | none (oidc replaces tokens) |
93+ | environment variables | none unless required |
8094
81- reviewers must approve every release before npm publish runs.
95+ reviewers must approve every release before npm publish runs. the wait
96+ timer gives you a final five-minute window to cancel the deploy from
97+ the actions tab.
8298
8399## settings -> webhooks
84100
85101webhooks should be empty. every webhook is an outbound trust point.
86- if you need ci notifications, prefer github built-ins (slack github app, github email).
102+ if you need ci notifications, prefer github built-ins (slack github app,
103+ github email).
87104
88105## settings -> deploy keys
89106
@@ -92,11 +109,27 @@ use github app installations or oidc workloads instead.
92109
93110## settings -> integrations and third-party access
94111
95- | setting | value |
96- | ------------------ | ------------------------------- |
97- | third-party access | restrict to vetted apps |
98- | github apps | review installed apps quarterly |
99- | oauth apps | none unless required |
112+ | setting | value |
113+ | ---------------------- | ---------------------------------- |
114+ | github apps | review installed apps quarterly |
115+ | oauth apps | none unless required |
116+ | third-party tokens | restrict to vetted apps |
117+
118+ ## npmjs.com -> package -> settings -> trusted publisher
119+
120+ set this once per package on npmjs.com. there is no ci file to commit.
121+
122+ | field | value |
123+ | -------------------- | -------------------------------- |
124+ | publisher | github actions |
125+ | repository owner | ` <your-org> ` |
126+ | repository name | ` <your-repo> ` |
127+ | workflow filename | ` release.yml ` |
128+ | environment name | ` release ` |
129+
130+ once trusted publisher is configured, ` npm publish --provenance ` in
131+ ` release.yml ` mints credentials over oidc per run. there is no
132+ ` NPM_TOKEN ` and never will be.
100133
101134## organization-level (if you own the org)
102135
@@ -112,7 +145,13 @@ beyond the repo, set these org-wide:
112145| outside collaborators | minimize, audit quarterly |
113146| sso session duration | as short as your team tolerates |
114147
148+ org-level rulesets (` Settings → Rules → Rulesets ` at the org) let you
149+ apply the main-branch protection across every repo at once instead of
150+ per-repo. recommended once you operate more than a handful of repos.
151+
115152## verifying
116153
117154after applying everything, run the [ openssf scorecard] ( https://securityscorecards.dev )
118- on your repo. target score: ** 8.5+** . anything below means a check above was missed.
155+ on your repo. target score: ** 8.5+** . anything below means a check above
156+ was missed (or a check that needs time, like ` Maintained ` which requires
157+ the repo to be 90+ days old).
0 commit comments