You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Creates one or more private GitHub repositories in an organisation with standard configuration: branch protection on the default branch, a CODEOWNERS file, and optional team permissions.
306
+
307
+
**Required variables:**
308
+
```bash
309
+
export GITHUB_TOKEN="your_token"
310
+
export ORG="your-org"
311
+
export REPO_NAMES="repo1,repo2"
312
+
export REPO_OWNERS="platform-team"
313
+
```
314
+
315
+
**Usage:**
316
+
```bash
317
+
cd org-admin/github-auto-repo-creation
318
+
./github-auto-repo-creation.sh
319
+
```
320
+
321
+
**What it does:**
322
+
- Creates each repository listed in `REPO_NAMES` as private
323
+
- Configures branch protection on the default branch
324
+
- Creates a CODEOWNERS file referencing the `REPO_OWNERS` teams
325
+
- Grants admin access to teams listed in `ADMIN_TEAMS`
326
+
327
+
| Variable | Description | Default |
328
+
|----------|-------------|---------|
329
+
|`ADMIN_TEAMS`| Comma-separated team slugs for admin access | — |
330
+
331
+
> [!NOTE]
332
+
> Requires `base64` in addition to `curl` and `jq` (used to encode the CODEOWNERS file content for the API).
Dismisses or resolves all open security alerts (Dependabot, code scanning, and secret scanning) across all repositories in a GitHub organisation. Generates a CSV report of dismissed alerts.
341
+
342
+
**Required variables:**
343
+
```bash
344
+
export GITHUB_TOKEN="your_token"
345
+
export ORG="your-org"
346
+
```
347
+
348
+
**Usage:**
349
+
```bash
350
+
cd org-admin/github-close-archived-repo-security-alerts
351
+
352
+
# Preview which alerts would be dismissed (no changes)
Converts all repositories with "internal" visibility to "private" in a GitHub organisation.
446
+
447
+
**Required variables:**
448
+
```bash
449
+
export GITHUB_TOKEN="your_token"
450
+
export ORG="your-org"
451
+
```
452
+
453
+
**Usage:**
454
+
```bash
455
+
cd org-admin/github-migrate-internal-repos-to-private
456
+
./github-migrate-internal-repos-to-private.sh
457
+
```
458
+
459
+
**What it does:**
460
+
- Fetches all repositories with internal visibility (paginated)
461
+
- Converts each to private via the PATCH API
462
+
- Logs success or failure for each repository
463
+
464
+
> [!WARNING]
465
+
> Converting repositories from internal to private removes access from members of other organisations in the enterprise. This operation cannot be undone via the API.
Assigns the built-in "All-repository read" organisation role to a specified enterprise team in every organisation within a GitHub Enterprise account. This grants read access to all current and future repositories without requiring per-repository assignments.
627
+
628
+
**Required variables:**
629
+
```bash
630
+
export GITHUB_TOKEN="your_enterprise_token"# Must have admin:enterprise scope
631
+
export ENTERPRISE="my-enterprise"
632
+
export ENTERPRISE_TEAM_SLUG="platform-team"
633
+
```
634
+
635
+
**Usage:**
636
+
```bash
637
+
cd enterprise/github-add-enterprise-team-read-permissions
638
+
./github-add-enterprise-team-read-permissions.sh
639
+
```
640
+
641
+
**What it does:**
642
+
- Enumerates all organizations in the enterprise via GraphQL (cursor-based pagination)
643
+
- Looks up the enterprise team ID and the target org role ID in each organization
644
+
- Assigns the `all_repo_read` org role to the enterprise team in every organization
645
+
646
+
| Variable | Description | Default |
647
+
|----------|-------------|---------|
648
+
|`ALL_REPO_READ_ROLE_NAME`| Org role name to assign |`all_repo_read`|
649
+
650
+
> [!IMPORTANT]
651
+
> Requires an enterprise-level token with `admin:enterprise` scope. Organization tokens will not work.
Searches all organisations in a GitHub Enterprise account for Dockerfiles, extracts base image references from `FROM` instructions, and generates CSV reports to identify common base images across the estate.
660
+
661
+
**Required variables:**
662
+
```bash
663
+
export GITHUB_TOKEN="your_token"
664
+
export ENTERPRISE="my-enterprise"
665
+
```
666
+
667
+
**Usage:**
668
+
```bash
669
+
cd enterprise/github-dockerfile-discovery
670
+
./github-dockerfile-discovery.sh
671
+
```
672
+
673
+
**What it does:**
674
+
- Discovers all orgs in the enterprise via GraphQL, or uses the `ORGS` override
675
+
- Uses the GitHub code search API to locate Dockerfiles in each org
676
+
- Fetches and parses each Dockerfile to extract `FROM` instructions (including multi-stage builds)
677
+
- Generates three timestamped reports in `REPORT_DIR`:
678
+
-`dockerfile_discovery_detail_*.csv` — one row per image reference
@@ -448,6 +788,7 @@ All scripts can leverage a shared utility library for common operations like val
448
788
449
789
**API helpers:**
450
790
-`get_repo_page_count <url>` — Get total page count from paginated REST endpoint
791
+
-`validate_slug <value> <label>` — Exit if value contains characters other than alphanumeric, hyphen, or underscore
451
792
452
793
### Using the Shared Library in Scripts
453
794
@@ -668,7 +1009,7 @@ Consider adding approval steps or environment protection rules before running de
668
1009
## Best Practices
669
1010
670
1011
**Test on a test organization first**
671
-
These scripts have no dry-run mode. Always validate on a non-production organization before running against production resources.
1012
+
Always validate on a non-production organization before running against production resources. Several scripts support a `--dry-run` flag (`github-close-archived-repo-security-alerts`, `github-enable-issues`, `github-organize-stars`) that previews changes without applying them.
672
1013
673
1014
**Rate limiting**
674
1015
Scripts include built-in delays (5 seconds between repository operations) to stay within GitHub's rate limits. For large organizations with hundreds of repos, expect longer execution times.
0 commit comments