Codex can add repository files and workflows, but it cannot safely click or verify GitHub repository settings from inside the repo. After this PR lands, verify the settings below in GitHub.
Short description: This checklist separates what TrustSignal now manages in-repo from the GitHub settings that still require manual verification in the repository UI.
Audience:
- repository administrators
- security reviewers
- engineering leads
The repository now manages these controls in code:
- Dependabot configuration in
.github/dependabot.yml - dependency diff review in
.github/workflows/dependency-review.yml - repository vulnerability scanning in
.github/workflows/trivy.yml - workflow hardening review in
.github/workflows/zizmor.yml - weekly and push-based repository score tracking in
.github/workflows/scorecard.yml - review hygiene defaults in
.github/pull_request_template.md
Not yet managed in-repo:
CODEOWNERS, because repository-specific GitHub usernames or team slugs should not be guessed
Verify in GitHub:
- GitHub Actions is enabled for the repository
- workflow permissions remain restricted to the default least-privilege mode unless a specific workflow requires more
- branch and environment secrets are reviewed for necessity and rotated if stale
Verify in GitHub:
- Dependency graph is enabled
- Dependabot alerts are enabled
- Dependabot security updates are enabled if supported by the repository plan
- Dependabot version updates are allowed for this repository
Verify in GitHub:
- secret scanning is enabled if the repository type and plan support it
- push protection is enabled if available and acceptable for the team workflow
Note:
- secret scanning availability depends on repository visibility and GitHub plan
Recommended manual setup:
- enable code scanning in GitHub Security
- prefer GitHub CodeQL default setup unless you have a clear reason to maintain advanced CodeQL workflow YAML in-repo
Reason:
- this repo already uploads third-party SARIF from Trivy and Scorecard
- CodeQL default setup is usually the safer and lower-maintenance starting point for JavaScript/TypeScript repositories
Configure branch protection or a repository ruleset for master:
- require pull requests before merge
- require at least one human PR review
- dismiss stale approvals when new commits are pushed if that matches team policy
- disable force pushes to
master - disable branch deletion on
master - restrict direct pushes to
master - optionally require branches to be up to date before merge
- add a real
CODEOWNERSfile later if the repository has stable maintainer usernames or org team slugs
Recommended baseline for this repository:
required_approving_review_count = 1strict = true- required status checks:
linttypechecktestsecret-scandependency-auditsigned-receipt-smoke
Evidence to capture after configuration:
- one
gh apior GitHub UI export showing branch protection enabled onmaster - one screenshot showing the required status checks list
- one screenshot or JSON export showing force pushes and deletions disabled
After the workflows have run successfully on master, consider requiring these checks before merge:
typecheckweb-buildtestsigned-receipt-smokemessaging-checkwhen docs or web copy changes matterDependency diff review
Optional later:
Trivy repository scanafter the advisory rollout proves low-noisezizmor advisory auditfor workflow-change pull requests if branch rulesets can scope that requirement safely
Advisory only by default:
OpenSSF Scorecard analysis
- Open the repository
SettingsandSecuritytabs in GitHub. - Confirm every workflow appears under Actions and is enabled.
- Confirm Dependabot is creating update PRs on the expected schedule.
- Confirm the Security tab shows dependency graph, Dependabot alerts, and code scanning as enabled where supported.
- Add the required status checks only after at least one successful run for each target check.
- Save one redacted screenshot or
gh apiresponse showing the finalmasterbranch protection settings in private compliance evidence storage.
gh api /repos/TrustSignal-dev/TrustSignal/branches/master/protection