Configure high-security settings for documentation-only repository

[Copilot]

Repository exists solely to host an extended profile README. Needs security hardening to prevent forks, downloads, and unauthorized modifications.

Automated Enforcement

• GitHub Actions workflow (.github/workflows/security-check.yml)
  • Runs on push/PR to main
  • Blocks executable files via permission bits check (-perm -111)
  • Validates only documentation file types present
  • Minimal token permissions (contents: read)

Documentation

• SECURITY.md - Security policy and repository purpose
• REPOSITORY_SETTINGS.md - Manual configuration checklist:
  • Disable forks: Settings → General → Features → Uncheck "Allow forking"
  • Disable releases: Settings → General → Features → Uncheck "Releases"
  • Branch protection: Settings → Branches → Add rules for main
• SECURITY_SETUP.md - Implementation overview

Supporting Files

• .gitignore - Prevents accidental commits of IDE/build artifacts

Manual Steps Required

Repository owner must apply settings in GitHub UI per REPOSITORY_SETTINGS.md. Workflow enforcement alone cannot disable forks or releases—these require manual configuration.

Original prompt

Set security to high. There is no benefit to allowing requests to forks, merges or downloads. The purpose of this repository is to host a Readme and nothing more. Github only allows a very short about me section which is not nearly enough. With this I can store more information if a visitor wants to look it up.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

Pull request overview

This pull request configures high-security settings for a documentation-only repository that hosts an extended profile README. The implementation includes automated enforcement via GitHub Actions and comprehensive documentation for manual security configuration steps.

Changes:

• Added GitHub Actions workflow to validate repository contains only documentation files and block executables
• Created security documentation files (SECURITY.md, SECURITY_SETUP.md, REPOSITORY_SETTINGS.md) with configuration guidance
• Added .gitignore file to prevent accidental commits of IDE/build artifacts

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
.github/workflows/security-check.yml	Automated security validation workflow that checks for executable files and non-documentation file types
SECURITY.md	Security policy documenting repository purpose and security configuration
SECURITY_SETUP.md	Implementation guide explaining what's been configured and required manual steps
REPOSITORY_SETTINGS.md	Step-by-step manual configuration checklist for GitHub repository settings
.gitignore	Patterns to exclude IDE files, build artifacts, and temporary files from version control

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The reference to "Dependency graph" and "Dependabot alerts" settings is inconsistent with the repository's purpose. This is a documentation-only repository with no dependencies to track. The Dependency graph is specifically for analyzing code dependencies in package manifests (package.json, requirements.txt, etc.), which this repository doesn't have. Consider removing both the Dependency graph and Dependabot alerts items from this checklist.

Suggested change

	- [ ] Enable "Dependency graph"
	- [ ] Enable "Dependabot alerts" if applicable

[Copilot]

The description "Main branch should be protected" uses conditional language ("should be") which creates ambiguity about whether this protection is already in place or needs to be configured manually. For consistency and clarity, consider using language that clearly indicates this is a manual configuration requirement, matching the tone of REPOSITORY_SETTINGS.md.

Suggested change

	- **Branch Protection**: Main branch should be protected to prevent unauthorized modifications
	- **Branch Protection**: Configure branch protection rules for the `main` branch to prevent unauthorized modifications

[Copilot]

The shell array syntax and command construction has a potential issue. When building the find command dynamically with eval, the negation logic will exclude all files matching ANY of the allowed patterns. However, since *.yml and *.yaml are in ALLOWED_EXTENSIONS, this workflow file itself would be excluded from the disallowed files check. This means the logic for detecting disallowed files is functioning as intended for filtering, but the overall approach of using eval with dynamically constructed commands can be fragile and has security implications. Consider using a whitelist approach by finding all files and then filtering them with grep or a proper loop instead of eval.

Suggested change

	# Build find command with allowed file types
	FIND_CMD="find . -type f -not -path \"./.git/*\" -not -path \"./.github/*\""
	for ext in "${ALLOWED_EXTENSIONS[@]}"; do
	FIND_CMD="$FIND_CMD -not -name \"$ext\""
	done
	for file in "${ALLOWED_FILES[@]}"; do
	FIND_CMD="$FIND_CMD -not -name \"$file\""
	done
	# Check for disallowed file types
	DISALLOWED=$(eval "$FIND_CMD" | wc -l)
	if [ "$DISALLOWED" -gt 0 ]; then
	echo "Warning: Non-documentation files detected:"
	eval "$FIND_CMD"
	# Find files and filter them against the allowed lists without using eval
	DISALLOWED_FILES=()
	# Iterate over all files (excluding .git and .github) and apply whitelist logic
	while IFS= read -r -d '' FILE; do
	BASENAME=$(basename "$FILE")
	ALLOWED=false
	# Check allowed extensions
	for ext in "${ALLOWED_EXTENSIONS[@]}"; do
	case "$BASENAME" in
	$ext)
	ALLOWED=true
	break
	;;
	esac
	done
	# Check explicitly allowed filenames if not allowed by extension
	if [ "$ALLOWED" = false ]; then
	for allowed_file in "${ALLOWED_FILES[@]}"; do
	if [ "$BASENAME" = "$allowed_file" ]; then
	ALLOWED=true
	break
	fi
	done
	fi
	# Collect disallowed files
	if [ "$ALLOWED" = false ]; then
	DISALLOWED_FILES+=("$FILE")
	fi
	done < <(find . -type f -not -path "./.git/*" -not -path "./.github/*" -print0)
	# Check for disallowed file types
	DISALLOWED=${#DISALLOWED_FILES[@]}
	if [ "$DISALLOWED" -gt 0 ]; then
	echo "Warning: Non-documentation files detected:"
	printf '%s\n' "${DISALLOWED_FILES[@]}"

[Copilot]

This check only produces a warning (not an error) when non-documentation files are found. For a security-focused repository that should only contain documentation, this should fail the workflow (exit 1) rather than just warn. Otherwise, unexpected file types could be merged despite the security check.

Suggested change

	echo "Warning: Non-documentation files detected:"
	eval "$FIND_CMD"
	echo "Error: Non-documentation files detected:"
	eval "$FIND_CMD"
	exit 1

[Copilot]

The description states "Repository downloads should be disabled" with conditional language ("should be"), but given this is a security-focused configuration guide, it would be clearer to use definitive language like "Repository downloads are disabled" or explicitly state this is a manual step that must be completed. The current wording creates ambiguity about whether this is already configured or needs to be configured.

Suggested change

	- **Downloads**: Repository downloads should be disabled as there is no distributable content
	- **Downloads**: Repository downloads are disabled as there is no distributable content