원클릭으로
gh-os-repo
Set up and harden a public GitHub repository — repo settings, security, branch protection, templates, CI, and dependabot.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Set up and harden a public GitHub repository — repo settings, security, branch protection, templates, CI, and dependabot.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Copy processed MP3s and WAVs to NAS storage. Use after Apple Music import or when re-archiving corrected files.
Move processed ZIPs to archive and clean up extraction folders. Use after album processing is complete.
Copy finished MP3s into Apple Music via the auto-import folder and verify the album lands correctly. Use once metadata is finalized and the user wants tracks added to their library — e.g. "add this to Apple Music" or "import these tracks" — even if they don't say "auto-import" explicitly. Also use to diagnose a bad import, e.g. "it showed up as separate tracks instead of one album."
Inspect and update MP3 tags: genre, artist, album, track count, compilation flag. Use when checking or fixing music file metadata — including diagnostic questions like "why do these show up as separate tracks" or "is this folder's metadata consistent," not just explicit tag-editing requests.
End-to-end processing of downloaded music purchases: extract ZIPs, verify metadata, import to Apple Music, archive to NAS, clean up. Use when processing new music downloads.
Reclaim local disk by offloading cloud-backed Apple Music downloads. Audit iCloud status, build an offload playlist that protects your DJ crates and lossless files, then Remove Download. Use when the Mac is low on disk.
| name | gh-os-repo |
| description | Set up and harden a public GitHub repository — repo settings, security, branch protection, templates, CI, and dependabot. |
You configure a GitHub repository for open source distribution. This is a comprehensive checklist covering repo settings, security hardening, branch protection, community templates, CI, and dependency management.
Template files are in assets/.github/ — copy them into the target repo's .github/ directory and customize placeholders ({owner}, {repo}) for the project.
Configure via gh api:
gh api repos/{owner}/{repo} -X PATCH \
-f description="<project description>" \
-F has_issues=true \
-F has_discussions=true \
-F has_wiki=false \
-F has_projects=true \
-F allow_squash_merge=true \
-F allow_merge_commit=true \
-F allow_rebase_merge=false \
-F delete_branch_on_merge=true \
-F allow_auto_merge=false \
-F web_commit_signoff_required=false \
-f squash_merge_commit_title="COMMIT_OR_PR_TITLE" \
-f squash_merge_commit_message="COMMIT_MESSAGES" \
-f merge_commit_title="MERGE_MESSAGE" \
-f merge_commit_message="PR_TITLE"
Key decisions:
Add topics for discoverability:
gh repo edit --add-topic "topic1,topic2,topic3"
Enable all security features:
gh api repos/{owner}/{repo} -X PATCH \
-f "security_and_analysis[dependabot_security_updates][status]=enabled" \
-f "security_and_analysis[secret_scanning][status]=enabled" \
-f "security_and_analysis[secret_scanning_push_protection][status]=enabled"
This ensures:
Set up required status checks and conversation resolution:
gh api repos/{owner}/{repo}/branches/main/protection -X PUT \
--input - <<'EOF'
{
"required_status_checks": {
"strict": true,
"contexts": ["Build", "Test", "Lint", "Format Check"]
},
"enforce_admins": false,
"required_pull_request_reviews": null,
"restrictions": null,
"required_linear_history": false,
"allow_force_pushes": false,
"allow_deletions": false,
"required_conversation_resolution": true
}
EOF
Key settings:
Create a ruleset for defense-in-depth:
gh api repos/{owner}/{repo}/rulesets -X POST \
--input - <<'EOF'
{
"name": "Main Branch Protection",
"target": "branch",
"enforcement": "active",
"conditions": {
"ref_name": {
"include": ["~DEFAULT_BRANCH"],
"exclude": []
}
},
"rules": [
{ "type": "non_fast_forward" },
{ "type": "deletion" },
{
"type": "required_status_checks",
"parameters": {
"strict_required_status_checks_policy": false,
"do_not_enforce_on_create": false,
"required_status_checks": [
{ "context": "All Clear" }
]
}
}
],
"bypass_actors": [
{
"actor_id": 5,
"actor_type": "RepositoryRole",
"bypass_mode": "exempt"
}
]
}
EOF
The "All Clear" context should be a final CI job that depends on all other checks — this way you only maintain one required check in the ruleset even as individual CI jobs change.
Create or verify these exist at the repo root:
Copy assets/.github/ into the target repo and customize:
| Asset | Customize |
|---|---|
CODEOWNERS | Replace {owner}, adjust paths to project structure |
ISSUE_TEMPLATE/bug_report.md | Add project-specific environment fields |
ISSUE_TEMPLATE/feature_request.md | Ready to use as-is |
ISSUE_TEMPLATE/infrastructure-change.md | Ready to use as-is |
ISSUE_TEMPLATE/config.yml | Replace {owner}/{repo} in discussions URL |
DISCUSSION_TEMPLATE/ideas.yml | Update intro text for the project |
DISCUSSION_TEMPLATE/q-a.yml | Update intro text for the project |
PULL_REQUEST_TEMPLATE.md | Ready to use as-is |
dependabot.yml | Uncomment and set language ecosystem |
BRANCH_PROTECTION.md | Update CI check names to match actual workflow |
Set up .github/workflows/ci.yml:
name: CI
on:
push:
branches: [main]
pull_request:
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
# ... language-specific build steps
# Repeat for test, lint, format-check
all-clear:
runs-on: ubuntu-latest
needs: [build, test, lint, format-check]
steps:
- run: echo "All checks passed"
If the project uses semantic versioning, set up .github/workflows/release.yml:
v*)Run through this checklist:
# Repo settings
gh repo view {owner}/{repo} --json description,visibility,hasIssuesEnabled,hasDiscussionsEnabled,hasWikiEnabled
# Security
gh api repos/{owner}/{repo} --jq '.security_and_analysis'
# Branch protection
gh api repos/{owner}/{repo}/branches/main/protection
# Rulesets
gh api repos/{owner}/{repo}/rulesets
# License detected
gh repo view {owner}/{repo} --json licenseInfo
# Templates exist
ls .github/ISSUE_TEMPLATE/ .github/DISCUSSION_TEMPLATE/ .github/PULL_REQUEST_TEMPLATE.md .github/CODEOWNERS .github/dependabot.yml