• Stars
    star
    606
  • Rank 73,958 (Top 2 %)
  • Language
    JavaScript
  • License
    ISC License
  • Created about 4 years ago
  • Updated about 2 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

GitHub Safe-Settings

Create a release

Safe-settingsโ€“ an app to manage policy-as-code and apply repository settings to repositories across an organization.

  1. In safe-settings all the settings are stored centrally in an admin repo within the organization. This is important. Unlike Settings Probot, the settings files cannot be in individual repositories.

    Note It is possible to override this behavior and specify a custom repo instead of the admin repo.
    This could be done by setting an env variable called ADMIN_REPO.

  2. There are 3 levels at which the settings could be managed:

    1. Org-level settings are defined in .github/settings.yml

      Note It is possible to override this behavior and specify a different filename for the settings yml repo.
      This could be done by setting an env variable called SETTINGS_FILE_PATH.

    2. Suborg level settings. A suborg is an arbitrary collection of repos belonging to projects, business units, or teams. The suborg settings reside in a yaml file for each suborg in the .github/suborgs folder.

    3. Repo level settings. They reside in a repo specific yaml in .github/repos folder

  3. It is recommended to break the settings into org-level, suborg-level, and repo-level units. This will allow different teams to define and manage policies for their specific projects or business units. With CODEOWNERS, this will allow different people to be responsible for approving changes in different projects.

Note Suborg and Repo level settings directory structure cannot be customized.

Note The settings file must have a .yml extension only. .yaml extension is ignored, for now.

How it works

Events

The App listens to the following webhook events:

  • push: If the settings are created or modified, that is, if push happens in the default branch of the admin repo and the file added or changed is .github/settings.yml or .github/repos/*.ymlor .github/suborgs/*.yml, then the settings would be applied either globally to all the repos, or specific repos. For each repo, the settings that are actually applied depend on the default settings for the org, overlayed with settings for the suborg that the repo belongs to, overlayed with the settings for that specific repo.

  • repository.created: If a repository is created in the org, the settings for the repo - the default settings for the org, overlayed with settings for the suborg that the repo belongs to, overlayed with the settings for that specific repo - is applied.

  • branch_protection_rule: If a branch protection rule is modified or deleted, safe-settings will sync the settings to prevent any unauthorized changes.

  • repository.edited: If the default branch is renamed, safe-settings will sync the settings, returning the default branch to the configured value for the repo.

  • pull_request.opened, pull_request.reopened, check_suite.requested: If the settings are changed, but it is not in the default branch, and there is an existing PR, the code will validate the settings changes by running safe-settings in nop mode and update the PR with the dry-run status.

Restricting safe-settings to specific repos

safe-settings can be turned on only to a subset of repos by specifying them in the runtime settings file, deployment-settings.yml.
If no file is specified, then the following repositories - 'admin', '.github', 'safe-settings' are exempted by default.
A sample of deployment-settings file is found here.

To apply safe-settings only to a specific list of repos, add them to the restrictedRepos section as include array.

To ignore safe-settings for a specific list of repos, add them to the restrictedRepos section as exclude array.

Note The include and exclude attributes support as well regular expressions.

Custom rules

Admins setting up safe-settings can include custom rules that would be validated before applying a setting or overidding a broader scoped setting.

The code has to return true if validation is successful, or false if it isn't.

If the validation fails, the error attribute specified would be used to create the error message in the logs or in the PR checks.

The first use case is where a custom rule has to be applied for a setting on its own. For e.g. No collaborator should be given admin permissions.

For this type of validation, admins can provide custom code as configvalidators which validates the setting by itself.

For e.g. for the case above, it would look like:

configvalidators:
  - plugin: collaborators
    error: |
      `Admin role cannot be assigned to collaborators`
    script: |
      console.log(`baseConfig ${JSON.stringify(baseconfig)}`)
      return baseconfig.permission != 'admin'

For convenience this script has access to a variable, baseconfig, that contains the setting that is be applied.

The second use case is where custom rule has to be applied when a setting in the org or suborg level is being overridden. Such as, when default branch protection is being overridden.

For this type of validation, admins can provide custom code as overridevalidators. The script can access two variables, baseconfig and overrideconfig which represent the base setting and the setting that is overriding it.

A sample would look like:

overridevalidators:
  - plugin: branches   
    error: |
      `Branch protection required_approving_review_count cannot be overidden to a lower value`
    script: |
      console.log(`baseConfig ${JSON.stringify(baseconfig)}`)
      console.log(`overrideConfig ${JSON.stringify(overrideconfig)}`)
      if (baseconfig.protection.required_pull_request_reviews.required_approving_review_count && overrideconfig.protection.required_pull_request_reviews.required_approving_review_count ) {
        return overrideconfig.protection.required_pull_request_reviews.required_approving_review_count >= baseconfig.protection.required_pull_request_reviews.required_approving_review_count 
      }
      return true

A sample of deployment-settings file is found here.

Performance

When there are 1000s of repos to be managed -- and there is a global settings change -- safe-settings will have to work efficiently and only make the necessary API calls.

The app also has to complete the work within an hour: the lifetime of the GitHub app token.

To address these constraints the following design decisions have been implemented:

  1. Probot automatically handles rate and abuse limits.
  2. Instead of loading all the repo contents from .github/repos/*, it will selectively load the specific repo file based on which repo settings has changed, or a subset of the repo files associated with suborg settings that has changed. The only time all the repo files will be loaded is if there is a global settings file change.
  3. The PR check will only provide a summary of errors and changes. (Providing the details of changes for 1000s of repos will error out.)
  4. To ensure it handles updates to GitHub intelligently, it will compare the changes with the settings in GitHub, and will call the API only if there are real changes.

Comparing changes with GitHub

To determine if there are real changes, the code will generate a detailed list of additions, modifications, and deletions compared to the settings in GitHub:

For e.g:

If the settings is:

{
  "branches": [
    {
      "name": "master",
      "protection": {
        "required_pull_request_reviews": {
          "required_approving_review_count": 2,
          "dismiss_stale_reviews": false,
          "require_code_owner_reviews": true,
          "dismissal_restrictions": {}
        },
        "required_status_checks": {
          "strict": true,
          "contexts": []
        },
        "enforce_admins": false
      }
    }
  ]
}

and the settings in GitHub is:

{
     "branches": [
       {
         "name": "master",
         "protection": {
            url": "https://api.github.com/repos/decyjphr-org/test/branches/develop/protection",
           "required_status_checks": {
              url": "https://api.github.com/repos/decyjphr-org/test/branches/develop/protection/required_status_checks",
             "strict": true,
             "contexts": [],
              contexts_url": "https://api.github.com/repos/decyjphr-org/test/branches/develop/protection/required_status_checks/contexts",
             "checks": []
           },
           "restrictions": {
              url": "https://api.github.com/repos/decyjphr-org/test/branches/develop/protection/restrictions",
              users_url": "https://api.github.com/repos/decyjphr-org/test/branches/develop/protection/restrictions/users",
              teams_url": "https://api.github.com/repos/decyjphr-org/test/branches/develop/protection/restrictions/teams",
              apps_url": "https://api.github.com/repos/decyjphr-org/test/branches/develop/protection/restrictions/apps",
             "users": [],
             "teams": [],
             "apps": []
           },
           "required_pull_request_reviews": {
              url": "https://api.github.com/repos/decyjphr-org/test/branches/develop/protection/required_pull_request_reviews",
             "dismiss_stale_reviews": true,
             "require_code_owner_reviews": true,
             "required_approving_review_count": 2,
             "dismissal_restrictions": {
                url": "https://api.github.com/repos/decyjphr-org/test/branches/develop/protection/dismissal_restrictions",
                users_url": "https://api.github.com/repos/decyjphr-org/test/branches/develop/protection/dismissal_restrictions/users",
                teams_url": "https://api.github.com/repos/decyjphr-org/test/branches/develop/protection/dismissal_restrictions/teams",
               "users": [],
               "teams": []
             }
           },
           "required_signatures": false,
           "enforce_admins": false,
           "required_linear_history": false,
           "allow_force_pushes": {
             "enabled": false
           },
           "allow_deletions": false,
           "required_conversation_resolution": false
         }
       }
     ]
   }

the results of comparison would be:

{
      "additions": {},
      "modifications": {
        "branches": [
          {
            "protection": {
              "required_pull_request_reviews": {
                "dismiss_stale_reviews": false
              }
            },
            "name": "master"
          }
        ]
      },
      "hasChanges": true
    }

Schedule

The App can be configured to apply the settings on a schedule. This could be a way to address configuration drift since webhooks are not always guaranteed to be delivered.

To periodically converge the settings to the configuration, set the CRON environment variable. This is based on node-cron and details on the possible values can be found here.

Pull Request Workflow

Safe-settings explicitly looks in the admin repo in the organization for the settings files. The admin repo could be a restricted repository with branch protections and codeowners

In that set up, when changes happen to the settings files and there is a PR for merging the changes back to the default branch in the admin repo, safe-settings will run checks โ€“ which will run in nop mode and produce a report of the changes that would happen, including the API calls and the payload.

The checks will fail if org-level branch protections are overridden at the repo or suborg level with a lesser number of required approvers.

The Settings file

The settings file can be used to set the policies at the Org, suborg or repo level.

Using the settings, the following things could be configured:

  • Repository settings - home page, url, visibility, has_issues, has_projects, wikis, etc.
  • default branch - naming and renaming
  • Repository Topics
  • Teams and permissions
  • Collaborators and permissions
  • Issue labels
  • Branch protections - if the name of the branch is default in the settings, it is applied to the default branch of the repo.
  • Autolinks
  • repository name validation using regex pattern

It is possible to provide an include or exclude settings to restrict the collaborators, teams, labels to a list of repos or exclude a set of repos for a collaborator.

Here is an example settings file:

# These settings are synced to GitHub by https://github.com/github/safe-settings

repository: 
  # This is the settings that need to be applied to all repositories in the org 
  # See https://docs.github.com/en/rest/reference/repos#create-an-organization-repository for all available settings for a repository  
  # A short description of the repository that will show up on GitHub
  description: description of the repo
  
  # A URL with more information about the repository
  homepage: https://example.github.io/
    
  # Keep this as true for most cases
  # A lot of the policies below cannot be implemented on bare repos
  # Pass true to create an initial commit with empty README.
  auto_init: true
    
  # A list of topics to set on the repository - can alternatively set like this: [github, probot, new-topic, another-topic, topic-12]
  topics:
  - github
  - probot
  - new-topic
  - another-topic
  - topic-12

  # Settings for Code security and analysis
  # Dependabot Alerts
  security:
    enableVulnerabilityAlerts: true
    enableAutomatedSecurityFixes: true
  
  # Either `true` to make the repository private, or `false` to make it public. 
  # If this value is changed and if Org members cannot change the visibility of repos
  # it would result in an error when updating a repo
  private: true
  
  # Can be public or private. If your organization is associated with an enterprise account using 
  # GitHub Enterprise Cloud or GitHub Enterprise Server 2.20+, visibility can also be internal. 
  visibility: private
  
  # Either `true` to enable issues for this repository, `false` to disable them.
  has_issues: true
  
  # Either `true` to enable projects for this repository, or `false` to disable them.
  # If projects are disabled for the organization, passing `true` will cause an API error.
  has_projects: true
  
  # Either `true` to enable the wiki for this repository, `false` to disable it.
  has_wiki: true
  
  # The default branch for this repository.
  default_branch: main-enterprise
  
  # Desired language or platform [.gitignore template](https://github.com/github/gitignore) 
  # to apply. Use the name of the template without the extension. 
  # For example, "Haskell".
  gitignore_template: node
  
  # Choose an [open source license template](https://choosealicense.com/) 
  # that best suits your needs, and then use the 
  # [license keyword](https://help.github.com/articles/licensing-a-repository/#searching-github-by-license-type) 
  # as the `license_template` string. For example, "mit" or "mpl-2.0".
  license_template: mit
  
  # Either `true` to allow squash-merging pull requests, or `false` to prevent
  # squash-merging.
  allow_squash_merge: true
  
  # Either `true` to allow merging pull requests with a merge commit, or `false`
  # to prevent merging pull requests with merge commits.
  allow_merge_commit: true
  
  # Either `true` to allow rebase-merging pull requests, or `false` to prevent
  # rebase-merging.
  allow_rebase_merge: true
  
  # Either `true` to allow auto-merge on pull requests, 
  # or `false` to disallow auto-merge.
  # Default: `false`
  allow_auto_merge: true
  
  # Either `true` to allow automatically deleting head branches 
  # when pull requests are merged, or `false` to prevent automatic deletion.
  # Default: `false`
  delete_branch_on_merge: true  
      
  # Whether to archive this repository. false will unarchive a previously archived repository.
  archived: false

# The following attributes are applied to any repo within the org
# So if a repo is not listed above is created or edited
# The app will apply the following settings to it
labels:
  # Labels: define labels for Issues and Pull Requests
  include:
    - name: bug
      color: CC0000
      description: An issue with the system

    - name: feature
      # If including a `#`, make sure to wrap it with quotes!
      color: '#336699'
      description: New functionality.

    - name: first-timers-only
      # include the old name to rename an existing label
      oldname: Help Wanted
      color: '#326699'

    - name: new-label
      # include the old name to rename an existing label
      oldname: Help Wanted
      color: '#326699'
  exclude:
    # don't delete any labels created on GitHub that starts with "release"
    - name: ^release

milestones:
# Milestones: define milestones for Issues and Pull Requests
  - title: milestone-title
    description: milestone-description
    # The state of the milestone. Either `open` or `closed`
    state: open

collaborators:
# Collaborators: give specific users access to any repository.
# See https://docs.github.com/en/rest/reference/collaborators#add-a-repository-collaborator for available options
- username: regpaco
  permission: push
# The permission to grant the collaborator. Can be one of:
# * `pull` - can pull, but not push to or administer this repository.
# * `push` - can pull and push, but not administer this repository.
# * `admin` - can pull, push and administer this repository.
- username: beetlejuice
  permission: pull
# You can exclude a list of repos for this collaborator and all repos except these repos would have this collaborator
  exclude:
  - actions-demo
- username: thor
  permission: push
# You can include a list of repos for this collaborator and only those repos would have this collaborator
  include:
  - actions-demo
  - another-repo

teams:
# Teams See https://docs.github.com/en/rest/reference/teams#create-a-team for available options
  - name: core
    # The permission to grant the team. Can be one of:
    # * `pull` - can pull, but not push to or administer this repository.
    # * `push` - can pull and push, but not administer this repository.
    # * `admin` - can pull, push and administer this repository.
    permission: admin
  - name: docss
    permission: push
  - name: docs
    permission: pull
  # Visibility is only honored when the team is created not for existing teams.
  # It can be either secret (default) or closed (visible to all members of the org)
  - name: globalteam
    permission: push
    visibility: closed

branches:
  # If the name of the branch value is specified as `default`, then the app will create a branch protection rule to apply against the default branch in the repo
  - name: default
    # https://docs.github.com/en/rest/reference/branches#update-branch-protection
    # Branch Protection settings. Set to null to disable
    protection:
      # Required. Require at least one approving review on a pull request, before merging. Set to null to disable.
      required_pull_request_reviews:
        # The number of approvals required. (1-6)
        required_approving_review_count: 1
        # Dismiss approved reviews automatically when a new commit is pushed.
        dismiss_stale_reviews: true
        # Blocks merge until code owners have reviewed.
        require_code_owner_reviews: true
        # Whether the most recent reviewable push must be approved by someone other than the person who pushed it.
        require_last_push_approval: true
        # Allow specific users, teams, or apps to bypass pull request requirements. Set to null to disable.
        bypass_pull_request_allowances:
          apps: []
          users: []
          teams: []
        # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories.
        dismissal_restrictions:
          users: []
          teams: []
      # Required. Require status checks to pass before merging. Set to null to disable
      required_status_checks:
        # Required. Require branches to be up to date before merging.
        strict: true
        # Required. The list of status checks to require in order to merge into this branch
        contexts: []
      # Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable.
      enforce_admins: true
      # Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable.
      restrictions:
        apps: []
        users: []
        teams: []

# See the docs (https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/configuring-autolinks-to-reference-external-resources) for a description of autolinks and replacement values.
autolinks:
  - key_prefix: 'JIRA-'
    url_template: 'https://jira.github.com/browse/JIRA-<num>'
  - key_prefix: 'MYLINK-'
    url_template: 'https://mywebsite.com/<num>'
        
validator:
  #pattern: '[a-zA-Z0-9_-]+_[a-zA-Z0-9_-]+.*' 
  pattern: '[a-zA-Z0-9_-]+'

Additional values

In addition to these values above, the settings file can have some additional values:

  1. force_create: This is set in the repo-level settings to force create the repo if the repo does not exist.
  2. template: This is set in the repo-level settings, and is used with the force_create flag to use a specific repo template when creating the repo
  3. suborgrepos: This is set in the suborg-level settings to define an array of repos. This field can also take a glob pattern to allow wild-card expression to specify repos in a suborg. For e.g. test* would include test, test1, testing, etc.
  4. The suborgteams section contains a list of teams, and all the repos belonging to the teams would be part of the suborg

Env variables

You can pass environment variables; easiest way to do it is in a .envfile.

  1. CRON you can pass a cron input to run safe-settings at a regular schedule. This is based on node-cron. For eg.
# โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ second (optional)
# โ”‚ โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ minute
# โ”‚ โ”‚ โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ hour
# โ”‚ โ”‚ โ”‚ โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ day of month
# โ”‚ โ”‚ โ”‚ โ”‚ โ”Œโ”€โ”€โ”€โ”€โ”€โ”€ month
# โ”‚ โ”‚ โ”‚ โ”‚ โ”‚ โ”Œโ”€โ”€โ”€โ”€ day of week
# โ”‚ โ”‚ โ”‚ โ”‚ โ”‚ โ”‚
# โ”‚ โ”‚ โ”‚ โ”‚ โ”‚ โ”‚
# * * * * * *
CRON=* * * * * # Run every minute
  1. Logging level could be set using LOG_LEVEL. For e.g.
LOG_LEVEL=trace
  1. Enable Pull Request comment using ENABLE_PR_COMMENT. For e.g.
ENABLE_PR_COMMENT=true

Runtime Settings

  1. Besides the above settings files, the application can be bootstrapped with runtime settings.
  2. The runtime settings are configured in deployment-settings.yml that is in the directory from where the GitHub app is running.
  3. Currently the only setting that is possible are restrictedRepos: [... ] which allows you to configure a list of repos within your org that are excluded from the settings. If the deployment-settings.yml is not present, the following repos are added by default to the restrictedrepos list: 'admin', '.github', 'safe-settings'

Notes

  1. Label color can also start with #, e.g. color: '#F341B2'. Make sure to wrap it with quotes!
  2. Each top-level element under branch protection must be filled (eg: required_pull_request_reviews, required_status_checks, enforce_admins and restrictions). If you don't want to use one of them you must set it to null (see comments in the example above). Otherwise, none of the settings will be applied.
  3. The precedence order is repository > suborg > org (.github/repos/.yml > .github/suborgs/.yml > .github/settings.yml

How to use

  1. Install the app.

  2. Create an admin repo within your organization (the repository must be called admin).

  3. Add the settings for the org, suborgs, and repos . List of sample files could be found here.

Deployment

See docs/deploy.md if you would like to run your own instance of this plugin.

License

safe-settings is licensed under the ISC license

safe-settings uses 3rd party libraries, each with their own license. These are found here.

More Repositories

1

gitignore

A collection of useful .gitignore templates
160,684
star
2

copilot-docs

Documentation for GitHub Copilot
23,229
star
3

docs

The open-source repo for docs.github.com
JavaScript
14,053
star
4

opensource.guide

๐Ÿ“š Community guides for open source creators
HTML
12,947
star
5

gh-ost

GitHub's Online Schema-migration Tool for MySQL
Go
11,302
star
6

linguist

Language Savant. If your repository's language is being reported incorrectly, send us a pull request!
Ruby
10,684
star
7

semantic

Parsing, analyzing, and comparing source code across many languages
Haskell
8,865
star
8

copilot.vim

Neovim plugin for GitHub Copilot
Vim Script
8,286
star
9

codeql

CodeQL: the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security
CodeQL
7,579
star
10

roadmap

GitHub public roadmap
7,393
star
11

scientist

๐Ÿ”ฌ A Ruby library for carefully refactoring critical paths.
Ruby
7,389
star
12

personal-website

Code that'll help you kickstart a personal website that showcases your work as a software developer.
HTML
7,243
star
13

markup

Determines which markup library to use to render a content file (e.g. README) on GitHub
Ruby
5,678
star
14

dmca

Repository with text of DMCA takedown notices as received. GitHub does not endorse or adopt any assertion contained in the following notices. Users identified in the notices are presumed innocent until proven guilty. Additional information about our DMCA policy can be found at
DIGITAL Command Language
5,457
star
15

swift-style-guide

**Archived** Style guide & coding conventions for Swift projects
4,770
star
16

gemoji

Emoji images and names.
Ruby
4,280
star
17

training-kit

Open source courseware for Git and GitHub
HTML
4,247
star
18

explore

Community-curated topic and collection pages on GitHub
Ruby
3,840
star
19

mona-sans

Mona Sans, a variable font from GitHub
3,680
star
20

hubot-scripts

DEPRECATED, see https://github.com/github/hubot-scripts/issues/1113 for details - optional scripts for hubot, opt in via hubot-scripts.json
CoffeeScript
3,538
star
21

choosealicense.com

A site to provide non-judgmental guidance on choosing a license for your open source project
Ruby
3,379
star
22

git-sizer

Compute various size metrics for a Git repository, flagging those that might cause problems
Go
3,160
star
23

secure_headers

Manages application of security headers with many safe defaults
Ruby
3,104
star
24

gov-takedowns

Text of government takedown notices as received. GitHub does not endorse or adopt any assertion contained in the following notices.
3,088
star
25

archive-program

The GitHub Archive Program & Arctic Code Vault
3,000
star
26

scripts-to-rule-them-all

Set of boilerplate scripts describing the normalized script pattern that GitHub uses in its projects.
Shell
2,859
star
27

hotkey

Trigger an action on an element with a keyboard shortcut.
JavaScript
2,851
star
28

relative-time-element

Web component extensions to the standard <time> element.
JavaScript
2,799
star
29

janky

Continuous integration server built on top of Jenkins and Hubot
Ruby
2,759
star
30

github-elements

GitHub's Web Component collection.
JavaScript
2,523
star
31

renaming

Guidance for changing the default branch name for GitHub repositories
2,408
star
32

view_component

A framework for building reusable, testable & encapsulated view components in Ruby on Rails.
Ruby
2,370
star
33

VisualStudio

GitHub Extension for Visual Studio
C#
2,365
star
34

glb-director

GitHub Load Balancer Director and supporting tooling.
C
2,255
star
35

SoftU2F

Software U2F authenticator for macOS
Swift
2,201
star
36

accessibilityjs

Client side accessibility error scanner.
JavaScript
2,180
star
37

CodeSearchNet

Datasets, tools, and benchmarks for representation learning of code.
Jupyter Notebook
2,155
star
38

balanced-employee-ip-agreement

GitHub's employee intellectual property agreement, open sourced and reusable
2,126
star
39

github-services

Legacy GitHub Services Integration
Ruby
1,902
star
40

platform-samples

A public place for all platform sample projects.
Shell
1,885
star
41

hubot-sans

Hubot Sans, a variable font from GitHub
Shell
1,832
star
42

pages-gem

A simple Ruby Gem to bootstrap dependencies for setting up and maintaining a local Jekyll environment in sync with GitHub Pages
Ruby
1,782
star
43

india

GitHub resources and information for the developer community in India
Ruby
1,769
star
44

haikus-for-codespaces

EJS
1,753
star
45

site-policy

Collaborative development on GitHub's site policies, procedures, and guidelines
1,743
star
46

government.github.com

Gather, curate, and feature stories of public servants and civic hackers using GitHub as part of their open government innovations
HTML
1,727
star
47

advisory-database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
1,711
star
48

objective-c-style-guide

**Archived** Style guide & coding conventions for Objective-C projects
1,682
star
49

covid19-dashboard

A site that displays up to date COVID-19 stats, powered by fastpages.
Jupyter Notebook
1,644
star
50

lightcrawler

Crawl a website and run it through Google lighthouse
JavaScript
1,471
star
51

rest-api-description

An OpenAPI description for GitHub's REST API
1,372
star
52

feedback

Public feedback discussions for: GitHub for Mobile, GitHub Discussions, GitHub Codespaces, GitHub Sponsors, GitHub Issues and more!
1,359
star
53

developer.github.com

GitHub Developer site
Ruby
1,314
star
54

backup-utils

GitHub Enterprise Backup Utilities
1,190
star
55

brubeck

A Statsd-compatible metrics aggregator
C
1,185
star
56

dev

Press the . key on any repo
1,184
star
57

catalyst

Catalyst is a set of patterns and techniques for developing components within a complex application.
TypeScript
1,183
star
58

codeql-action

Actions for running CodeQL analysis
TypeScript
1,152
star
59

securitylab

Resources related to GitHub Security Lab
C
1,150
star
60

opensourcefriday

๐Ÿšฒ Contribute to the open source community every Friday
HTML
1,143
star
61

graphql-client

A Ruby library for declaring, composing and executing GraphQL queries
Ruby
1,139
star
62

Rebel

Cocoa framework for improving AppKit
Objective-C
1,127
star
63

gh-actions-importer

GitHub Actions Importer helps you plan and automate the migration of Azure DevOps, Bamboo, Bitbucket, CircleCI, GitLab, Jenkins, and Travis CI pipelines to GitHub Actions.
C#
982
star
64

licensed

A Ruby gem to cache and verify the licenses of dependencies
Ruby
942
star
65

.github

Community health files for the @GitHub organization
869
star
66

swordfish

EXPERIMENTAL password management app. Don't use this.
Ruby
740
star
67

details-dialog-element

A modal dialog that's opened with <details>.
JavaScript
739
star
68

stack-graphs

Rust implementation of stack graphs
Rust
725
star
69

codeql-cli-binaries

Binaries for the CodeQL CLI
725
star
70

github-ds

A collection of Ruby libraries for working with SQL on top of ActiveRecord's connection
Ruby
667
star
71

email_reply_parser

Small library to parse plain text email content
Ruby
658
star
72

vulcanizer

GitHub's ops focused Elasticsearch library
Go
657
star
73

github-ospo

Helping open source program offices get started
641
star
74

webauthn-json

๐Ÿ” A small WebAuthn API wrapper that translates to/from pure JSON using base64url.
TypeScript
638
star
75

gh-copilot

Ask for assistance right in your terminal.
637
star
76

rubocop-github

Code style checking for GitHub's Ruby projects
Ruby
616
star
77

codespaces-jupyter

Explore machine learning and data science with Codespaces
Jupyter Notebook
591
star
78

dat-science

Replaced by https://github.com/github/scientist
Ruby
582
star
79

maven-plugins

Official GitHub Maven Plugins
Java
581
star
80

details-menu-element

A menu opened with <details>.
JavaScript
554
star
81

trilogy

Trilogy is a client library for MySQL-compatible database servers, designed for performance, flexibility, and ease of embedding.
C
543
star
82

freno

freno: cooperative, highly available throttler service
Go
534
star
83

smimesign

An S/MIME signing utility for use with Git
Go
519
star
84

brasil

Recursos e informaรงรตes do GitHub para a comunidade de desenvolvedores no Brasil.
Ruby
515
star
85

gh-valet

Valet helps facilitate the migration of Azure DevOps, CircleCI, GitLab CI, Jenkins, and Travis CI pipelines to GitHub Actions.
C#
511
star
86

include-fragment-element

A client-side includes tag.
JavaScript
508
star
87

covid-19-repo-data

Data archive of identifiable COVID-19 related public projects on GitHub
505
star
88

vscode-github-actions

GitHub Actions extension for VS Code
TypeScript
492
star
89

vscode-codeql-starter

Starter workspace to use with the CodeQL extension for Visual Studio Code.
CodeQL
477
star
90

how-engineering-communicates

A community version of the "common API" for how the GitHub Engineering organization communicates
474
star
91

Archimedes

Geometry functions for Cocoa and Cocoa Touch
Objective-C
466
star
92

codeql-go

The CodeQL extractor and libraries for Go.
465
star
93

open-source-survey

The Open Source Survey
431
star
94

synsanity

netfilter (iptables) target for high performance lockless SYN cookies for SYN flood mitigation
C
424
star
95

entitlements-app

The Ruby Gem that Powers Entitlements - GitHub's Identity and Access Management System
Ruby
409
star
96

MVG

MVG = Minimum Viable Governance
379
star
97

issue-metrics

Gather metrics on issues/prs/discussions such as time to first response, count of issues opened, closed, etc.
Python
378
star
98

roskomnadzor

deprecated archive โ€” moved to https://github.com/github/gov-takedowns/tree/master/Russia
376
star
99

clipboard-copy-element

Copy element text content or input values to the clipboard.
JavaScript
374
star
100

codespaces-react

JavaScript
364
star