### Example GitHub Custom Property Configurations Source: https://wellarchitected.github.com/library/governance/recommendations/managing-repositories-at-scale/custom-properties-best-practices Demonstrates example configurations for GitHub repository custom properties, illustrating how to define metadata for different types of repositories based on their criticality, compliance needs, and technical characteristics. These examples can be adapted to specific organizational requirements. ```yaml # Financial services repository (SOX, PCI DSS) compliance-frameworks: ["SOX", "PCI-DSS"] data-classification: "Restricted" business-criticality: "Critical" environment: "Production" public-facing: "true" # Platform service repository service-tier: "Platform" business-criticality: "Critical" owner-team: "platform-ops" environment: "Production" # Legacy modernization candidate tech-stack: ["Java", "Spring Boot"] architecture-pattern: "Monolith" modernization-candidate: "true" migration-priority: "High" business-criticality: "Medium" ``` -------------------------------- ### Run Compression Test on MP4 File (Binary) Source: https://wellarchitected.github.com/library/architecture/recommendations/scaling-git-repositories/when-to-use-git-lfs This example demonstrates running the compression test script on a binary file (e.g., `.mp4`). Binary files typically show low compression ratios, suggesting Git LFS might be more appropriate for managing them in a repository. ```bash ./lfstest.rb Untitled.mp4 ``` -------------------------------- ### Install gh-language GitHub CLI Extension Source: https://wellarchitected.github.com/library/collaboration/recommendations/scaling-actions-reusability Installs the 'gh-language' extension for the GitHub CLI, which helps analyze language trends across repositories. Ensure you have the GitHub CLI installed before running this command. ```bash gh extension install CallMeGreg/gh-language ``` -------------------------------- ### Run Compression Test on CSV File (Text) Source: https://wellarchitected.github.com/library/architecture/recommendations/scaling-git-repositories/when-to-use-git-lfs This example shows the compression test script applied to a text file (e.g., `.csv`). Text files usually exhibit high compression ratios, indicating that Git's native version control is likely sufficient and efficient for these types of files. ```bash ./test.rb users1.csv ``` -------------------------------- ### Generate SBOM for Software Releases (GitHub Actions) Source: https://wellarchitected.github.com/library/scenarios/nist-ssdf-implementation This GitHub Actions workflow generates a Software Bill of Materials (SBOM) in SPDX JSON format for a software release. It uses the `anchore/sbom-action` to create the SBOM and `actions/attest-sbom` to attest to its integrity, ensuring transparency and aiding in vulnerability analysis. ```YAML name: Generate SBOM on: push: tags: - 'v*' permissions: id-token: write attestations: write contents: read jobs: build-and-generate-sbom: runs-on: ubuntu-latest steps: - uses: actions/checkout@v5 # Build steps for your software would go here - name: Generate SBOM uses: anchore/sbom-action@v0 with: format: spdx-json output-file: sbom.spdx.json - name: Attest SBOM uses: actions/attest-sbom@v3 with: subject-path: '${{ github.workspace }}' sbom-path: 'sbom.spdx.json' ``` -------------------------------- ### Disable Yarn Scripts and Ensure Immutable Installs Source: https://wellarchitected.github.com/library/application-security/recommendations/managing-dependency-threats Configure Yarn (v2+) to disable package scripts and ensure immutable installs, preventing lockfile modifications. This enhances security by catching unexpected dependency changes. Legitimate script usage can be explicitly enabled per package. ```yaml enableScripts: false enableImmutableInstalls: true defaultSemverRangePrefix: "" ``` ```json { "dependenciesMeta": { "esbuild": { "built": true } } } ``` -------------------------------- ### Reference Reusable Workflow in GitHub Actions Source: https://wellarchitected.github.com/library/collaboration/recommendations/scaling-actions-reusability Demonstrates how to reference a reusable workflow from a shared location within a GitHub Actions workflow file. This example specifies the workflow path, version, input parameters, and secrets required. ```yaml # Example of referencing a reusable workflow name: Build and Test on: push: branches: [main] pull_request: branches: [main] jobs: build: uses: acme-shared-actions/build-workflows/.github/workflows/build-java-maven.yml@v2 with: java-version: '17' run-tests: true secrets: maven-repo-token: ${{ secrets.MAVEN_REPO_TOKEN }} ```