GitHub Best Practices
The Office of Digital Services (ODS) at California Department of Technology (CDT) recommends the following practices
Best practices for GitHub Repos (Best practices for repositories – GitHub Docs)
- Create a README file to make it easier for people to understand and navigate your work.
- Regular collaborators should favor branching over forking, creating pull requests between branches instead of between repositories.
-
-
- Use GitHub branch protection rules to protect important branches, such as “main”, with required status checks and pull request reviews.
- Prevent direct commits to the “main” branch.
-
-
- GitHub repositories should be limited to the files necessary for building projects. Avoid committing large binary files, such as build artifacts.
-
-
- Binary files like spreadsheets and presentations are better suited to be tracked on portals that understand how to serve and version them properly.
-
-
- Use Git Large File Storage (Git LFS) to track large files in a Git repository to optimize performance.
- It is important to use a well thought-out and secure Git workflow for team collaboration.
-
-
- Comparing Git Workflows Git Workflow | Atlassian Git Tutorial .
- GitHub flow is a lightweight, branch-based workflow ( GitHub flow – GitHub Docs )
- GitLab flow – Introduction to GitLab Flow | GitLab
-
-
- Keep sensitive files out of your repository with “.gitignore”.
- Use a CODEOWNERS file to define individuals or teams that are responsible for code in a repository
- Configure automated security checks in a repository.
-
-
- Automated dependency alerts (free for all repo types).
- Automated dependency updates with Dependabot (free for all repo types).
- Automated code scanning (free only for public repos).
- Automated secret scanning (free only for public repos).
-
-
- For open-source projects, setup contributing guidelines to help collaborators make meaningful, useful contributions to a project
-
-
- Add common files: README.md, LICENSE.md, CONTRIBUTING.md, and SECURITY.md
-
-
- Training resources:
Best practices for GitHub Actions (Security hardening for GitHub Actions – GitHub Docs)
- Using CODEOWNERS to monitor and restrict changes to workflow files.
- Take the following steps to ensure secrets are redacted, and limit other risks associated with secrets.
-
-
- Never use structured data (JSON, XML, or YAML) as a secret; this significantly reduces the probability the secrets will be properly redacted.
- Register all secrets used within workflows; a secret generated from another sensitive value within the workflow will not be redacted in the logs unless you register it.
- Audit how secrets are handled. For example, check that they’re not sent to unintended hosts, or explicitly being printed to log output.
- Use credentials that are minimally scoped.
- Audit and rotate registered secrets.
- Consider requiring review for access to secrets.
-
-
- Mitigate script injection attacks ( Security hardening for GitHub Actions – GitHub Docs ).
Prevent your workflow code from executing untrusted input from attackers.
-
-
-
- Using an action instead of an inline script.
- Using an intermediate environment variable.
- Using starter workflows for code scanning.
- Restricting permissions for GITHUB_TOKEN.
-
-
- Using OpenID Connect to access cloud resources.
- Mitigate the risks associated with third-party actions.
-
-
- Pin third-party actions to a full length commit SHA.
- Audit the source code of the action.
- Pin actions to a tag only if you trust the creator.
-
-
- Keep GitHub Actions up to date.
- Hardening self-hosted runners
-
-
- Self-hosted runners should almost never be used for public repositories on GitHub because any user can open pull requests against the repository and compromise the environment.
-
-
- Preventing GitHub Actions from creating or approving pull requests.
Best practices for GitHub Organizations (Best practices for organizations – GitHub Docs)
- Assign multiple owners
-
-
- The organization’s projects can become inaccessible if the owner is unreachable.
- At least two people within each organization should have the owner role; keep in mind that organization owners have full administrative access to the organization.
-
-
- Use teams
-
-
- Use teams to facilitate collaboration and enhance communication in your organization.
- Keep teams visible whenever possible and reserve secret teams for sensitive situations.
- Use nested teams.
- Assign permissions to teams rather than individuals.
-
-
- Consider using SAML single sign-on (SSO) authentication If you have mostly private repos in your organization ( Managing SAML single sign-on for your organization – GitHub Enterprise Cloud Docs ).
-
-
- Increases security and centralizes identity and access for the web applications that your team uses; It is way to control and secure access to organization resources like repositories, issues, and pull requests.
- Members of your organization will continue to sign into their personal accounts on GitHub.com, but will be redirected to authenticate with you Identity Provider (IdP).
-
-
- Enforce Two-factor Authentication for all GitHub accounts accessing to your organization.
- Enable GitHub security tools by default for all repositories ( GitHub security features – GitHub Docs )
-
-
- Dependabot
- Code scanning
- Secret scanning
-
-
- Periodically review access controls and have a process in place for revoking access when someone no longer needs it.
- Set the default permissions granted to GITHUB_TOKEN to restricted ( Disabling or limiting GitHub Actions for your organization – GitHub Docs )
Best practices for GitHub Enterprises (Best practices for enterprises – GitHub Enterprise Cloud Docs)
- Use policies (About enterprise policies)
-
-
- Use policies to enforce business rules and regulatory compliance.
-
-
- Minimize the number of organizations.
-
-
- A smaller number of organizations encourages innersource practices and allows discussions to involve a wider audience.
- You can manage repository access and security requirements at a more granular level within each organization by using teams.
-
-
- Avoid extensive collaboration in user-owned repositories.
-
-
- Organization-owned repositories have more sophisticated security and administrative features, and they remain accessible even as enterprise membership changes.
-
-
- Use human-readable usernames.
-
-
- If you control the usernames for enterprise members, avoid machine-generated IDs that are difficult for humans to read.
-
-
- Enforce Two-factor Authentication for all GitHub accounts accessing your GitHub Enterprise.