메뉴
Toggle GitHub repo between private and public with security hardening, contribution lockdown, and pre-flight safety checks.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Scaffold a pnpm + Turborepo MERN monorepo with Next.js, tooling, tests, CI, and optional GitHub repo creation.
Configure GitHub repository security with branch protection, Dependabot, security scanning, and CI workflows. Integrates with mern-scaffold, nean-scaffold, and iOS projects.
Harden a Vercel deployment with security headers, CSP, bot protection, and deployment configuration
Add authentication to an iOS app with Sign in with Apple, biometrics, and Keychain storage.
Scaffold a new feature with View, ViewModel, and tests following ios-std conventions.
Review iOS code for compliance with standards, NFRs, and security policy.
| name | github-visibility |
| description | Toggle GitHub repo between private and public with security hardening, contribution lockdown, and pre-flight safety checks. |
| argument-hint | <public|private> [--force] [--skip-security-check] |
| allowed-tools | Bash, Write, Read, Glob, Grep |
Safely toggle a GitHub repository between private and public visibility. Applies the right security and access settings for each state. Public repos become read-only showcases — clone and fork only, no outside contributions.
Designed to work alongside: /github-secure. Detects whether it's been run and adapts (patches security.yml CodeQL job, patches branch protection status checks). Does not invoke github-secure.
<public|private> — Required. Target visibility. No auto-toggle — explicit target prevents accidents.--force — Bypass pre-flight sensitive data check (use when you've already audited).--skip-security-check — Skip secret scanning entirely (faster, less safe).security.yml (if exists)CodeQL Analysis to required checks.github/workflows/close-external-prs.yml → created (auto-closes fork PRs)LICENSE → created with MIT template (if missing)if: github.repository_visibility == 'public' added to security.ymlCodeQL Analysis from required checks.github/workflows/close-external-prs.yml → deleted (not needed when private)LICENSE → left in placegh CLI installed and authenticated# Verify gh CLI
gh auth status
# Detect repo info
REPO=$(gh repo view --json nameWithOwner -q .nameWithOwner)
GH_USER=$(gh api user -q .login)
DEFAULT_BRANCH=$(gh repo view --json defaultBranchRef -q .defaultBranchRef.name)
CURRENT_VIS=$(gh repo view --json visibility -q .visibility)
If already at target visibility → exit early with message: "Repository is already . No changes needed."
Skip if --skip-security-check or --force. Any failure blocks unless --force.
Run all four checks. If any find issues, report them and block.
.env, .pem, .key, .p12, .credentials, .secret, .pfx, id_rsa, id_ed25519 in tracked filesAKIA), Stripe keys (sk_live_), GitHub tokens (ghp_, gho_, github_pat_), generic passwords (password\s*=, secret\s*=), connection strings (mongodb+srv://, postgres://).gitignore coverage — Verify .gitignore exists and covers .env*, *.pem, *.key, node_modules/If blocked → output the file list, suggest git filter-repo for historical files, mention --force as escape hatch.
See reference/github-visibility-reference.md for the complete scan script.
github-secure stateCheck for indicators that /github-secure has been run:
HAS_SECURITY_YML=false
HAS_CODEOWNERS=false
HAS_DEPENDABOT=false
HAS_BRANCH_PROTECTION=false
[ -f .github/workflows/security.yml ] && HAS_SECURITY_YML=true
[ -f .github/CODEOWNERS ] && HAS_CODEOWNERS=true
[ -f .github/dependabot.yml ] && HAS_DEPENDABOT=true
gh api "/repos/$REPO/branches/$DEFAULT_BRANCH/protection" >/dev/null 2>&1 && HAS_BRANCH_PROTECTION=true
Store results — used in steps 6 and 7.
gh repo edit --visibility <target> --accept-visibility-change-consequences
Going public:
gh repo edit --enable-issues=false
gh repo edit --enable-wiki=false
gh repo edit --enable-discussions=false
gh repo edit --enable-projects=false
Going private: Issues, wiki, discussions, projects stay disabled (user preference).
gh repo edit --enable-issues=false
gh repo edit --enable-wiki=false
gh repo edit --enable-discussions=false
gh repo edit --enable-projects=false
Going public (free for public repos):
# Enable secret scanning + push protection
gh api --method PATCH "/repos/$REPO" --input - <<'EOF'
{
"security_and_analysis": {
"secret_scanning": {"status": "enabled"},
"secret_scanning_push_protection": {"status": "enabled"}
}
}
EOF
# Enable Dependabot alerts + auto-fixes
gh api --method PUT "/repos/$REPO/vulnerability-alerts"
gh api --method PUT "/repos/$REPO/automated-security-fixes"
If security.yml exists:
if: github.repository_visibility == 'public' → remove the conditionGoing private:
security.yml exists → add condition to CodeQL job: if: github.repository_visibility == 'public'See reference/github-visibility-reference.md for CodeQL conditional patterns.
Only if branch protection exists (HAS_BRANCH_PROTECTION=true). If no branch protection → skip with warning: "No branch protection found. Skipping adjustments. Consider running /github-secure."
Uses read-modify-write pattern — reads current config, merges changes, writes back. Does not overwrite existing settings.
Going public:
$GH_USER can push directlyCodeQL Analysis to required status checks (if security.yml has CodeQL)Going private:
"restrictions": null)CodeQL Analysis from required status checksSee reference/github-visibility-reference.md for the read-modify-write scripts.
Going public:
Create .github/workflows/close-external-prs.yml using template from reference file.
pull_request_target: [opened]Going private:
Delete .github/workflows/close-external-prs.yml if it exists.
See reference/github-visibility-reference.md for the full workflow template.
Going public:
If no LICENSE, LICENSE.md, or LICENSE.txt exists → create LICENSE with MIT template using current year and $GH_USER.
Going private: Leave LICENSE in place (no harm in keeping it).
See reference/github-visibility-reference.md for the MIT LICENSE template.
Stage any created/modified files and commit:
git add -A .github/workflows/close-external-prs.yml LICENSE .github/workflows/security.yml 2>/dev/null || true
# Only commit if there are staged changes
if ! git diff --cached --quiet; then
git commit -m "chore: configure repo for <target> visibility"
fi
# Verify visibility
gh repo view --json visibility -q .visibility
# Verify features
gh repo view --json hasIssuesEnabled,hasWikiEnabled,hasDiscussionsEnabled,hasProjectsEnabled
# Verify security (public only)
gh api "/repos/$REPO" --jq '.security_and_analysis'
# Verify branch protection (if it exists)
gh api "/repos/$REPO/branches/$DEFAULT_BRANCH/protection" --jq '{
push_restrictions: .restrictions,
required_checks: .required_status_checks.contexts
}' 2>/dev/null || echo "No branch protection configured"
See reference/github-visibility-reference.md for the full verification script.
Print summary table of all changes applied/skipped. Include recommendations:
github-secure wasn't run → suggest running /github-securegh repo edit --description "..." --add-topic "..."| Scenario | Behavior |
|---|---|
| Already at target visibility | Exit early, no changes |
github-secure never run | Complete visibility change, recommend running /github-secure |
| No branch protection exists | Skip branch protection adjustments, log warning |
No security.yml exists | Skip CodeQL adjustments, log info |
| Pre-flight finds secrets in history | Block with recommendation to use git filter-repo |
| Pre-flight finds tracked sensitive files | Block with file list and recommendation to remove them |
.gitignore missing or incomplete | Warn but do not block |
| LICENSE already exists | Skip LICENSE creation |
close-external-prs.yml already exists (going public) | Overwrite with current template |
close-external-prs.yml missing (going private) | Skip deletion, no error |
For detailed templates, scripts, and configurations, see reference/github-visibility-reference.md