[xandre_maxwell]

A significantly complex Github repo with CI, complex permissions, Git hooks all over, is pretty much its own software system that you have to manage, just like server management via Ansible or what-have-you.

Github does a great job at implementing sane defaults but I understand the author's point - there can be a lot to do and you usually don't know you're even supposed to worry about this until way later when security auditors file like 9001 reports about your repo settings.

[jamesfinlayson]

I learned yesterday that you can use Terraform to configure GitLab: https://registry.terraform.io/providers/gitlabhq/gitlab/late...

[computerfriend]

You can use it for GitHub too.

https://registry.terraform.io/providers/integrations/github/...

[the_jesus_villa]

Thanks for understanding. Security engineering is growing so complex. I don't know how major corps on the scale of Boeing ever achieve compliance. And even then, they have a whole market of different compliance standards to comply with.

Phew.

[throwaway892238]

> I don't know how major corps on the scale of Boeing ever achieve compliance.

It's not that hard. They just remove all of your agency as a user. You can push commits, open branches & pull requests, and merge if 2 people approve it. And that's it.

Want to merge? Restricted. Make a new repo? Restricted. Use a GitHub Action? Restricted. CODEOWNERS? Restricted. Branch filters? Restricted. Forks? Restricted. Releases, packages, artifacts, security, insights, settings, webhooks, environments, pages, wiki, issues? Restricted. Access a repo you aren't a member of? Restricted. Protected tags, dependency graph, dependabot, code scanning, secret scanning, deploy keys, secrets, github apps, oauth, notifications? Restricted. Stars? Restricted. And your SSO token expires every hour.

Can't get hacked if you can't do any work!

[eru]

When working on open source software and collaborating via public GitHub, you can almost forget that git is a distributed version control system.

But in the restricted corporate setups you describe, git's distributed nature shines.

They can lock down internal GitHub as much as they want to, but that won't keep you from making local commits, or exchanging commits directly with your coworkers while developing.

[no-reply]

Won't have to worry about compliance if you are forced to comply every hour /s

[flockonus]

> I don't know how major corps on the scale of Boeing ever achieve compliance.

Boring, repetitive software development processes that prioritizes closing potential holes vs. speed of development. When you stop to think about it, explains quite a bit of why big companies are so slow to release?