[throwaway892238]

> I don't know how major corps on the scale of Boeing ever achieve compliance.

It's not that hard. They just remove all of your agency as a user. You can push commits, open branches & pull requests, and merge if 2 people approve it. And that's it.

Want to merge? Restricted. Make a new repo? Restricted. Use a GitHub Action? Restricted. CODEOWNERS? Restricted. Branch filters? Restricted. Forks? Restricted. Releases, packages, artifacts, security, insights, settings, webhooks, environments, pages, wiki, issues? Restricted. Access a repo you aren't a member of? Restricted. Protected tags, dependency graph, dependabot, code scanning, secret scanning, deploy keys, secrets, github apps, oauth, notifications? Restricted. Stars? Restricted. And your SSO token expires every hour.

Can't get hacked if you can't do any work!

[eru]

When working on open source software and collaborating via public GitHub, you can almost forget that git is a distributed version control system.

But in the restricted corporate setups you describe, git's distributed nature shines.

They can lock down internal GitHub as much as they want to, but that won't keep you from making local commits, or exchanging commits directly with your coworkers while developing.

[no-reply]

Won't have to worry about compliance if you are forced to comply every hour /s