GitHub Repository Setup Guide¶
This guide documents the recommended GitHub repository settings for maintainers and collaborators.
Branch Protection Rules¶
Main Branch Protection (main)¶
Configure branch protection at: Settings → Branches → Add rule
Required Settings¶
| Setting | Value | Rationale |
|---|---|---|
| Branch name pattern | main | Protect primary branch |
| Require pull request before merging | ✅ Enabled | Code review requirement |
| Required approvals | 1+ | At least one review before merge |
| Dismiss stale reviews | ✅ Enabled | Re-review after new commits |
| Require review from CODEOWNERS | ✅ Enabled | Domain expertise on critical files |
| Require status checks to pass | ✅ Enabled | CI must pass |
| Require branches to be up to date | ✅ Enabled | Prevent merge conflicts |
| Require conversation resolution | ✅ Enabled | All feedback addressed |
| Require signed commits | ⚠️ Recommended | Security hardening |
| Require linear history | ❌ Optional | Allow merge commits |
| Include administrators | ✅ Enabled | No bypass for admins |
| Allow force pushes | ❌ Disabled | Prevent history rewriting |
| Allow deletions | ❌ Disabled | Prevent accidental deletion |
Required Status Checks¶
Add these checks (must pass before merge):
- ✅
lint- ShellCheck on mise tasks - ✅
docs-validate- Markdown link validation - ✅
docs-build- MkDocs build success - ✅
build- Main test suite (fast tests) - ✅
test-server-deployment- Dotfiles-only mode validation - ✅
test-windows- Windows provisioning tests
Configuration path: Settings → Branches → Edit rule → Require status checks
CODEOWNERS Configuration¶
File: .github/CODEOWNERS
Automatically requests reviews from specified users/teams for matching paths.
Current Configuration¶
# Default owner for everything
* @jerdaw
# Critical configuration files
/.github/ @jerdaw
/mise.toml @jerdaw
/.chezmoiversion @jerdaw
How It Works¶
- PR modifies
.github/workflows/ci.yml - GitHub automatically requests review from
@jerdaw - Branch protection enforces review before merge
Extending CODEOWNERS¶
Add team-specific ownership:
# Documentation
/docs/ @documentation-team
# Windows support
/mise-tasks/setup/provision/windows/ @windows-maintainers
# Security-sensitive
/dot_config/age/ @security-team
Pull Request Settings¶
Configuration path: Settings → General → Pull Requests
Recommended Settings¶
| Setting | Value | Rationale |
|---|---|---|
| Allow merge commits | ✅ Enabled | Default merge strategy |
| Allow squash merging | ✅ Enabled | Clean up small changes |
| Allow rebase merging | ✅ Enabled | Linear history option |
| Default merge message | Pull request title | Clear merge commits |
| Automatically delete head branches | ✅ Enabled | Cleanup after merge |
| Allow auto-merge | ✅ Enabled | For Renovate automation |
Pull Request Template¶
File: .github/PULL_REQUEST_TEMPLATE.md
Provides checklist for contributors. Review PRs for: - [ ] Follows file naming conventions - [ ] Documentation updated - [ ] CHANGELOG.md updated (if user-facing) - [ ] Tests pass (mise run test) - [ ] Doctor passes (mise run doctor) - [ ] Platform-specific considerations addressed
Issue Templates¶
Location: .github/ISSUE_TEMPLATE/
Configured templates help users provide necessary information.
Available Templates¶
- Bug Report - For reporting issues
- Feature Request - For suggesting enhancements
- Question - For general questions
Managing Templates¶
Edit templates at: Settings → Features → Issues → Set up templates
GitHub Actions Settings¶
Configuration path: Settings → Actions → General
Workflow Permissions¶
| Setting | Value | Rationale |
|---|---|---|
| Workflow permissions | Read and write | Docs deployment, PR comments |
| Allow GitHub Actions to create PRs | ✅ Enabled | For Renovate automation |
Specific Workflow Permissions¶
Workflows define explicit permissions (least-privilege):
ci.yml:
docs.yml:
Renovate Configuration¶
File: .github/renovate.json
Automates dependency updates with smart automerge rules.
Current Strategy¶
- Automerge: Patch updates only (e.g., 1.2.3 → 1.2.4)
- Manual review: Minor updates (e.g., 1.2.x → 1.3.0)
- Manual review: Major updates (e.g., 1.x.x → 2.0.0)
- Grouping: Related updates bundled together
How It Works¶
- Renovate detects outdated dependencies
- Creates PR with update
- CI runs automatically
- If patch update + CI passes → Auto-merge
- If minor/major → Waits for manual review
Adjusting Renovate¶
Edit .github/renovate.json:
{
"extends": ["config:base"],
"automerge": true,
"automergeType": "pr",
"automergeStrategy": "squash",
"packageRules": [
{
"matchUpdateTypes": ["patch"],
"automerge": true
}
]
}
Secrets Management¶
Configuration path: Settings → Secrets and variables → Actions
Repository Secrets¶
Currently configured: - GITHUB_TOKEN - Automatic, provided by GitHub
Adding Secrets (If Needed)¶
For age encryption: 1. Go to Settings → Secrets → New repository secret 2. Name: AGE_SECRET_KEY 3. Value: Your age private key 4. Reference in workflow:
- name: Decrypt secrets
env:
AGE_SECRET_KEY: ${{ secrets.AGE_SECRET_KEY }}
run: age -d -i <(echo "$AGE_SECRET_KEY") secrets.age
Security best practices: - Never commit secrets to repository - Use age encryption for sensitive dotfiles - Rotate secrets if compromised - See SECURITY.md and SECRETS.md
GitHub Pages Settings¶
Configuration path: Settings → Pages
Current Configuration¶
| Setting | Value |
|---|---|
| Source | Deploy from branch |
| Branch | gh-pages / root |
| Custom domain | (Optional) |
| Enforce HTTPS | ✅ Enabled |
How Documentation Deploys¶
- Push to
main(docs changes) docs.ymlworkflow triggers- MkDocs builds site
gh-deploypushes togh-pagesbranch- GitHub Pages serves from
gh-pages
URL: https://<username>.github.io/dotfiles/
Collaborator Access Levels¶
Configuration path: Settings → Collaborators and teams
Access Levels¶
| Role | Permissions | Use Case |
|---|---|---|
| Admin | Full control | Repository owner |
| Maintain | Manage repo without access to sensitive settings | Trusted maintainers |
| Write | Push to repo, create PRs | Regular contributors |
| Triage | Manage issues/PRs without code access | Issue managers |
| Read | View and clone repo | Public (default) |
Recommendations¶
- Owner: Admin access
- Core maintainers: Maintain access
- Regular contributors: Write access (if needed, or use forks)
- Documentation contributors: Write or Triage
Notifications & Watching¶
For Maintainers¶
Recommended watch settings: 1. Go to repository 2. Click "Watch" → "Custom" 3. Enable: - ✅ Issues - ✅ Pull requests - ✅ Releases - ✅ Discussions (if enabled) - ✅ Security alerts
Email Notifications¶
Configure at: Settings → Notifications
Receive emails for: - PR reviews requested - CI failures on your branches - Dependency security alerts - Renovate updates (if desired)
Security Settings¶
Configuration path: Settings → Code security and analysis
Recommended Enabling¶
| Feature | Status | Purpose |
|---|---|---|
| Dependency graph | ✅ Enabled | Track dependencies |
| Dependabot alerts | ✅ Enabled | Security vulnerability alerts |
| Dependabot security updates | ✅ Enabled | Auto-PR for security fixes |
| Code scanning | ⚠️ Optional | CodeQL static analysis |
| Secret scanning | ✅ Enabled | Detect committed secrets |
Secret Scanning¶
Alerts if secrets (API keys, tokens) are committed: - GitHub automatically detects common patterns - Sends alert to repository admins - Recommends rotating compromised secrets
Note: Also using gitleaks in pre-commit hooks for local scanning.
Repository Settings Checklist¶
Use this checklist when setting up a new fork or mirror:
General¶
- Repository name and description set
- Topics added (dotfiles, chezmoi, mise, zsh)
- README.md appears on homepage
- License specified (if applicable)
Access¶
- Collaborators added with appropriate roles
- Teams configured (if organization)
Branches¶
- Default branch is
main - Branch protection rules configured
- Required status checks enabled
- CODEOWNERS enforced
Pull Requests¶
- PR template configured
- Auto-delete head branches enabled
- Auto-merge enabled
Issues¶
- Issue templates configured
- Labels organized
Actions¶
- Workflows enabled
- Workflow permissions set correctly
- Secrets configured (if needed)
Security¶
- Dependabot alerts enabled
- Secret scanning enabled
- SECURITY.md present and linked
Pages¶
- GitHub Pages enabled
- Deploy from
gh-pagesbranch - HTTPS enforced
Maintenance Tasks¶
Regular (Weekly/Monthly)¶
- Review Renovate PRs and merge
- Check Dependabot security alerts
- Review open issues and PRs
- Update CHANGELOG.md and ROADMAP.md
Occasional (Quarterly/Yearly)¶
- Review branch protection rules
- Audit collaborator access
- Review CODEOWNERS accuracy
- Update GitHub Actions workflows
- Review and update documentation
Related Documentation¶
- CONTRIBUTING.md - Contribution guidelines
- SECURITY.md - Security policy and reporting
- CODEOWNERS - Code ownership assignments
- PULL_REQUEST_TEMPLATE.md - PR template
- renovate.json - Dependency automation config
Getting Help¶
GitHub Settings Issues¶
If you can't access Settings: - Check your role (requires Admin or Maintain access) - Contact repository owner for permissions
Workflow Failures¶
See CI-TROUBLESHOOTING.md for debugging CI/CD issues.
Security Concerns¶
See SECURITY.md for reporting security vulnerabilities.