github-repo-hardeninglisted

# GitHub Repository Hardening Audit the governance surface of a GitHub repository: who can push what, who reviews, what secrets are scanned, and what bypasses exist. Distinct from `github-supply-chain` (which covers Actions and dependencies); this skill covers repo settings and human workflow controls. ## When this skill applies - Reviewing branch protection rules or rulesets on the default branch and any release branches - Confirming CODEOWNERS coverage matches sensitive paths - Checking secret scanning and push protection are enabled with appropriate patterns - Reviewing signed-commit enforcement and the underlying signing setup - Identifying admin bypass paths that defeat the controls above Use a different skill for Actions/workflow security (`github-supply-chain`), code-level bugs (`saas-code-security-review`). ## Workflow Follow `../_shared/audit-workflow.md`. Skill-specific notes below. ### Phase 1: Scope confirmation - Single repo, set of repos, or org? - Does the org have GitHub Advanced Security? - Is the org on Enterprise Cloud or Server? - Is the user a repo admin or org admin? (affects which API calls work) ### Phase 2: Inventory Use the `gh` CLI for everything below (read-only): ```bash # Repo basics gh repo view <owner/repo> --json defaultBranchRef,isPrivate,visibility,squashMergeAllowed,mergeCommitAllowed,rebaseMergeAllowed,deleteBranchOnMerge,hasIssuesEnabled,hasWikiEnabled # Branch protection (legacy API; some orgs use Rulesets instead) gh api "re