Update repository settings

> [!CAUTION]
> This issue is raised due to current limitations of the GitHub API and/or for security reasons.
> __Human should review and apply all/some of the settings__ described here.

# Pre-requisites

Enable the following for all repositories:

- __[Mend Renovate Bot App for GitHub](https://github.com/marketplace/renovate)__ (automatically updates dependencies).
- __[StepSecurity Actions Security](https://github.com/apps/stepsecurity-actions-security)__ (manages GitHub Actions egress rules).

> [!NOTE]
> If [StepSecurity App](https://github.com/apps/stepsecurity-actions-security) is not installed, your code remains functional but less secure. More details [here](https://github.com/step-security/harden-runner).

# Security hardening

Follow these steps for best practices (available in your plan).

## Creating Personal Access Token (PAT)

> [!CAUTION]
> Use the suggested scope and expiration date to reduce exposure.

1. Go to [__GitHub Personal Access Token__ creation page](https://github.com/settings/personal-access-tokens/new) and create a token with:

- __Token name__: opentemplate-one-time-settings

- __Resource owner__: open-nudge

- __Expiration date__: Custom ➡️ next day

- __Repository access__: Only select repositories ➡️ Select repositories ➡️ open-nudge/opentemplate

- __Permissions__: Repository permissions:

  - __Administration__: Read & write (multiple operations: [`rulesets`](https://docs.github.com/en/rest/repos/rules?apiVersion=2022-11-28#create-a-repository-ruleset), [`gh-pages`](https://docs.github.com/en/rest/pages/pages?apiVersion=2022-11-28#create-a-github-pages-site), [general](https://docs.github.com/en/rest/repos/repos?apiVersion=2022-11-28#update-a-repository), [private vulnerability reporting](https://docs.github.com/en/rest/repos/repos?apiVersion=2022-11-28#enable-private-vulnerability-reporting-for-a-repository), [vulnerability alerts](https://docs.github.com/en/rest/repos/repos?apiVersion=2022-11-28#enable-vulnerability-alerts), enabling discussions)
  - __Pages__: Read & write (setup `gh-pages`; [permission source](https://docs.github.com/en/rest/pages/pages?apiVersion=2022-11-28#create-a-github-pages-site))

> Click __Generate token__ and copy it.

1. Add it to repository secrets:

- Open [secrets](https://github.com/open-nudge/opentemplate/settings/secrets/actions/new)
- __Name__: `TEMPLATE_GITHUB_TOKEN` (__exactly this name__).
- __Secret__: Paste the token.

## Running the workflow

Manually run the `Harden` workflow ([click here](https://github.com/open-nudge/opentemplate/actions/workflows/harden.yml)) and enter:

- __Plan type__: [Check here](https://docs.github.com/en/get-started/learning-about-github/githubs-plans) if unsure.
- __Reviewers for pull requests__: `2` (secure), `1` (common), `0` (solo devs). Read more [here](https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection).

## Cleanup

Remove `TEMPLATE_GITHUB_TOKEN` from [repository secrets](https://github.com/open-nudge/opentemplate/settings/secrets/actions).

# PyPI deployment

> [!CAUTION]
> __Skip if you want a private project.__ You can enable this later.

To deploy a Python package to PyPI:

Go to [PyPI Publishing](https://pypi.org/manage/account/publishing/), scroll to "Add a new pending publisher" and enter:

- __PyPI Project Name__: opentemplate
- __Owner__: open-nudge
- __Repository name__: opentemplate
- __Workflow name__: release.yml

GitHub Actions will now deploy to PyPI on new releases.

> [!TIP]
> Releasing to PyPI after the setup is advised. Due to the versioning scheme, first release will be `0.0.1` which can be iterated later on (with `0.1.0` marking first usable release).



# Dependency Graph

[Enable Dependency Graph manually](https://github.com/open-nudge/opentemplate/settings/security_analysis). __Without it, GitHub SBOM will not appear in `Releases`__.



# Organization setup

> [!TIP]
> Refer to [this guide](https://docs.github.com/en/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file) for community health files (e.g. `funding.yml`).

# Additional resources

- [Open Source Guide](https://opensource.guide/)
- [Open Source Security Foundation Guides](https://openssf.org/resources/guides/)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Update repository settings #1

Pre-requisites

Security hardening

Creating Personal Access Token (PAT)

Running the workflow

Cleanup

PyPI deployment

Dependency Graph

Organization setup

Additional resources

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Update repository settings #1

Description

Pre-requisites

Security hardening

Creating Personal Access Token (PAT)

Running the workflow

Cleanup

PyPI deployment

Dependency Graph

Organization setup

Additional resources

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions