GitHub Repository Audit Checklist

Status date: 2026-05-31.

This checklist tracks repository-level hardening for the public iMagdy/ktesio repository. Treat the GitHub API, workflow results, and repository files as the source of truth.

Repository Settings

• Repository is public and default branch is main.
• Issues are enabled.
• Wiki is disabled.
• Discussions are enabled for community Q&A.
• Projects are disabled until a public roadmap project is intentionally used.
• Forking remains enabled for open source contribution.
• Web commit sign-off is required.
• Delete branch on merge is enabled.
• Auto-merge and update-branch support are enabled.
• Merge commits and rebase merges are disabled.
• Squash merge is the only allowed merge method.
• Repository license is detected by GitHub as Apache-2.0.

Evidence:

• gh api repos/iMagdy/ktesio
• gh api repos/iMagdy/ktesio/license

Branch And Tag Rulesets

• Default branch ruleset is active.
• Default branch cannot be deleted.
• Default branch cannot be force-pushed.
• Pull requests are required for default branch changes.
• At least one approving review is required.
• Stale approvals are dismissed after new pushes.
• Code owner review is required.
• Last push approval is intentionally disabled until the project has at least two maintainers.
• Review conversations must be resolved.
• Required status checks are strict.
• Required checks include dco, fmt, clippy, test, build, docs, and coverage.
• CodeQL code scanning is required for high-or-higher security alerts and errors.
• Code quality errors are blocked.
• Release tag ruleset is active for v* tags.
• Release tags cannot be deleted or force-pushed.
• Release tag creation is restricted through the ruleset with maintainer bypass.

Evidence:

• gh api repos/iMagdy/ktesio/rulesets
• gh api repos/iMagdy/ktesio/rulesets/17082021
• gh api repos/iMagdy/ktesio/rulesets/17082811

Note: last push approval is useful when another maintainer can approve a maintainer-pushed fix. With only one direct maintainer, it turns normal reviewed contribution flow into routine admin bypass.

GitHub Actions

• Actions are enabled.
• Allowed Actions are restricted to selected actions.
• SHA pinning is required.
• GitHub-owned actions are allowed.
• No third-party release-packaging action is required.
• Default workflow token permissions are read-only.
• Workflows request write permissions only where needed.
• Third-party workflow actions are pinned by SHA.
• CI validates formatting, clippy, tests, build, docs, DCO, and coverage.
• Release workflow uses the protected release environment.

Evidence:

• gh api repos/iMagdy/ktesio/actions/permissions
• gh api repos/iMagdy/ktesio/actions/permissions/selected-actions
• gh api repos/iMagdy/ktesio/actions/permissions/workflow
• .github/workflows/ci.yml
• .github/workflows/release.yml

Security

• Security policy exists.
• Private vulnerability reporting is enabled.
• Dependabot vulnerability alerts are enabled.
• Dependabot security updates are enabled.
• Secret scanning is enabled.
• Secret scanning push protection is enabled.
• CodeQL default setup is configured for Actions, Python, and Rust.
• Code scanning alerts are currently clear.
• Secret scanning alerts are currently clear.
• Dependabot alerts are currently clear.

Evidence:

• gh api repos/iMagdy/ktesio/private-vulnerability-reporting
• gh api -i repos/iMagdy/ktesio/vulnerability-alerts
• gh api repos/iMagdy/ktesio/automated-security-fixes
• gh api repos/iMagdy/ktesio/code-scanning/default-setup
• gh api repos/iMagdy/ktesio/code-scanning/alerts
• gh api repos/iMagdy/ktesio/secret-scanning/alerts
• gh api repos/iMagdy/ktesio/dependabot/alerts

Open Source Community Files

• README.md exists.
• LICENSE exists and is canonical Apache-2.0 text.
• SECURITY.md exists.
• CONTRIBUTING.md exists.
• CODE_OF_CONDUCT.md exists.
• DCO.md exists.
• TRADEMARK.md exists.
• SUPPORT.md exists.
• SPONSORS.md exists.
• .github/CODEOWNERS exists.
• .github/pull_request_template.md exists.
• Issue forms exist for bugs, features, and questions.
• .github/FUNDING.yml exists.
• Community health profile reports 100%.

Evidence:

• gh api repos/iMagdy/ktesio/community/profile
• gh api repos/iMagdy/ktesio/contents/.github/ISSUE_TEMPLATE
• Local files in the repository root and .github/

Dependency And Maintenance Automation

• Dependabot config exists for Cargo.
• Dependabot config exists for GitHub Actions.
• Dependabot labels exist: dependencies, rust, and github-actions.
• Maintenance labels exist for areas, security, breaking changes, and repro needs.
• Dependabot PR #8 was merged for GitHub Actions updates.
• Dependabot PR #9 was merged for Cargo updates.
• Dependabot PR #9 clippy compatibility fix was included before merge.

Evidence:

• .github/dependabot.yml
• gh pr list --repo iMagdy/ktesio --state open
• gh api repos/iMagdy/ktesio/labels

Release Readiness

• release environment exists.
• release environment requires iMagdy approval.
• Homebrew tap variables are configured.
• CARGO_REGISTRY_TOKEN is configured as a release environment secret.
• HOMEBREW_TAP_TOKEN is configured as a release environment secret.

Evidence:

• gh api repos/iMagdy/ktesio/environments
• gh api repos/iMagdy/ktesio/environments/release/secrets
• gh api repos/iMagdy/ktesio/actions/variables

The unchecked release secrets are intentionally not filled with placeholder values. They require real credentials with publish access to crates.io and the Homebrew tap repository.

Verification Commands

• cargo fmt --check
• cargo clippy --all-targets -- -D warnings
• cargo test --all-targets
• python3 scripts/check_docs.py
• Latest main CI and CodeQL checks are green.

Evidence:

• Local command output from the hardening work.
• gh api repos/iMagdy/ktesio/commits/main/check-runs