Stats
Actions
Tags
From infra-skills
Set up and harden a public GitHub repository — repo settings, security, branch protection, templates, CI, and dependabot.
How this skill is triggered — by the user, by Claude, or both
Slash command
/infra-skills:gh-os-repoThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
You configure a GitHub repository for open source distribution. This is a comprehensive checklist covering repo settings, security hardening, branch protection, community templates, CI, and dependency management.
You configure a GitHub repository for open source distribution. This is a comprehensive checklist covering repo settings, security hardening, branch protection, community templates, CI, and dependency management.
Template files are in assets/.github/ — copy them into the target repo's .github/ directory and customize placeholders ({owner}, {repo}) for the project.
Configure via gh api:
gh api repos/{owner}/{repo} -X PATCH \
-f description="<project description>" \
-F has_issues=true \
-F has_discussions=true \
-F has_wiki=false \
-F has_projects=true \
-F allow_squash_merge=true \
-F allow_merge_commit=true \
-F allow_rebase_merge=false \
-F delete_branch_on_merge=true \
-F allow_auto_merge=false \
-F web_commit_signoff_required=false \
-f squash_merge_commit_title="COMMIT_OR_PR_TITLE" \
-f squash_merge_commit_message="COMMIT_MESSAGES" \
-f merge_commit_title="MERGE_MESSAGE" \
-f merge_commit_message="PR_TITLE"
Key decisions:
Add topics for discoverability:
gh repo edit --add-topic "topic1,topic2,topic3"
Enable all security features:
gh api repos/{owner}/{repo} -X PATCH \
-f "security_and_analysis[dependabot_security_updates][status]=enabled" \
-f "security_and_analysis[secret_scanning][status]=enabled" \
-f "security_and_analysis[secret_scanning_push_protection][status]=enabled"
This ensures:
Set up required status checks and conversation resolution:
gh api repos/{owner}/{repo}/branches/main/protection -X PUT \
--input - <<'EOF'
{
"required_status_checks": {
"strict": true,
"contexts": ["Build", "Test", "Lint", "Format Check"]
},
"enforce_admins": false,
"required_pull_request_reviews": null,
"restrictions": null,
"required_linear_history": false,
"allow_force_pushes": false,
"allow_deletions": false,
"required_conversation_resolution": true
}
EOF
Key settings:
Create a ruleset for defense-in-depth:
gh api repos/{owner}/{repo}/rulesets -X POST \
--input - <<'EOF'
{
"name": "Main Branch Protection",
"target": "branch",
"enforcement": "active",
"conditions": {
"ref_name": {
"include": ["~DEFAULT_BRANCH"],
"exclude": []
}
},
"rules": [
{ "type": "non_fast_forward" },
{ "type": "deletion" },
{
"type": "required_status_checks",
"parameters": {
"strict_required_status_checks_policy": false,
"do_not_enforce_on_create": false,
"required_status_checks": [
{ "context": "All Clear" }
]
}
}
],
"bypass_actors": [
{
"actor_id": 5,
"actor_type": "RepositoryRole",
"bypass_mode": "exempt"
}
]
}
EOF
The "All Clear" context should be a final CI job that depends on all other checks — this way you only maintain one required check in the ruleset even as individual CI jobs change.
Create or verify these exist at the repo root:
Copy assets/.github/ into the target repo and customize:
| Asset | Customize |
|---|---|
CODEOWNERS | Replace {owner}, adjust paths to project structure |
ISSUE_TEMPLATE/bug_report.md | Add project-specific environment fields |
ISSUE_TEMPLATE/feature_request.md | Ready to use as-is |
ISSUE_TEMPLATE/infrastructure-change.md | Ready to use as-is |
ISSUE_TEMPLATE/config.yml | Replace {owner}/{repo} in discussions URL |
DISCUSSION_TEMPLATE/ideas.yml | Update intro text for the project |
DISCUSSION_TEMPLATE/q-a.yml | Update intro text for the project |
PULL_REQUEST_TEMPLATE.md | Ready to use as-is |
dependabot.yml | Uncomment and set language ecosystem |
BRANCH_PROTECTION.md | Update CI check names to match actual workflow |
Set up .github/workflows/ci.yml:
name: CI
on:
push:
branches: [main]
pull_request:
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
# ... language-specific build steps
# Repeat for test, lint, format-check
all-clear:
runs-on: ubuntu-latest
needs: [build, test, lint, format-check]
steps:
- run: echo "All checks passed"
If the project uses semantic versioning, set up .github/workflows/release.yml:
v*)Run through this checklist:
# Repo settings
gh repo view {owner}/{repo} --json description,visibility,hasIssuesEnabled,hasDiscussionsEnabled,hasWikiEnabled
# Security
gh api repos/{owner}/{repo} --jq '.security_and_analysis'
# Branch protection
gh api repos/{owner}/{repo}/branches/main/protection
# Rulesets
gh api repos/{owner}/{repo}/rulesets
# License detected
gh repo view {owner}/{repo} --json licenseInfo
# Templates exist
ls .github/ISSUE_TEMPLATE/ .github/DISCUSSION_TEMPLATE/ .github/PULL_REQUEST_TEMPLATE.md .github/CODEOWNERS .github/dependabot.yml
npx claudepluginhub eyelock/assistants --plugin infra-skillsAudits open source repo health, scaffolds LICENSE/CODE_OF_CONDUCT/CONTRIBUTING/SECURITY files, sets up GitHub issue/PR templates, Actions for labeling/stale/welcome/release, and governance docs. Use for new OSS projects or publishing repos.
Guides setup of GitHub community health files (LICENSE, CODE_OF_CONDUCT.md, CONTRIBUTING.md, SECURITY.md, issue/PR templates) via gh CLI and APIs for open source repos.
Configures GitHub repository via gh CLI with main branch protection rules, issue/PR templates, standard labels, .gitignore, and metadata. For new or existing professional projects.