GitHub Setup Checklist for Engineering Teams (2026)

Go to Organization Settings → Member Privileges → Base permissions → Read. This means all org members can see all repos but cannot push without explicit repo-level permissions. Never set this to Write or Admin.

If your only Owner leaves or loses access, you are locked out of your organization. Always maintain a minimum of two Owners. Avoid making everyone an Owner.

Organization Settings → Authentication security → Require two-factor authentication. Members who haven't set up 2FA will be removed from the org until they do. Do this before inviting the full team.

Organization Settings → Member Privileges → Repository creation. Set to Members can create private repositories only (or Admins only). Prevents uncontrolled repository sprawl.

Organization Settings → Member Privileges → Disable Allow forking of private repositories. Prevents code from being copied outside your org's control. Enable only when specifically needed.

Organization Settings → Actions → General → Workflow permissions → Read repository contents and packages permissions. Grants write access explicitly per workflow where needed. Least-privilege by default.

Create named teams like team-backend, team-frontend, team-devops, team-security. Assign teams to repositories instead of individual users. Teams survive personnel changes.

Use Read (non-contributors), Triage (PMs, QA leads who manage issues), Write (developers), Maintain (tech leads — can edit settings but not delete), Admin (repo owners only). Never give Admin to everyone.

Create a parent team (e.g., engineering) with broad safe permissions, then child teams (team-backend, team-frontend) with specific repo access. Child teams inherit from parents.

If you use Okta, Azure AD, or another SAML IdP with GitHub Enterprise, sync team membership automatically. When someone changes roles or leaves, their GitHub access updates without manual intervention.

Remove engineers who have left, update roles when people switch teams. Old access lingers invisibly and becomes a security risk.

Repository Settings → General → Pull Requests. Enable Squash merging (recommended for clean history). Set default commit message to Pull request title and description. Optionally disable regular merge commits to enforce squash-only policy.

Repository Settings → General → Automatically delete head branches. After a PR is merged, the feature branch is deleted automatically. Prevents branches accumulating for months.

Private for all internal code, Internal (Enterprise) to share within the org without making it public, Public only for actual open source. Don't leave repositories public by accident.

Repository Settings → Actions → General → Allow select actions and reusable workflows. Whitelist trusted actions rather than allowing all. Prevents supply-chain attacks via malicious GitHub Actions.

Repository Settings → Rules → New ruleset. Rulesets are the modern GitHub approach (2024+), support multiple rules simultaneously, have Evaluate mode for safe rollout, and are visible to all team members. Target branch: main or master.

In your ruleset or branch protection: Require a pull request before merging → Require approvals: 1 (or 2 for critical repos). Dismiss stale reviews when new commits are pushed. Nobody merges their own code without review.

Select the specific CI check names from your GitHub Actions workflows (e.g., 'CI / test', 'CI / lint'). Enable Require branches to be up to date before merging (strict mode) to ensure checks run against the latest main.

Enable Restrict deletions and Block force pushes. Force pushing rewrites git history and can destroy teammates' work. Block both on main and any long-lived branches.

No PR can be merged while there are unresolved review comments. Forces all reviewer feedback to be explicitly addressed or dismissed before the code ships.

Enables automatic routing of reviews to the right team. A PR touching /services/payments/ automatically requires a review from the team that owns that directory.

By default, repository administrators can bypass branch protection. Turning this off means even Admins must follow the rules. Essential for compliance and preventing shortcuts.

GitHub checks .github/CODEOWNERS first, then CODEOWNERS in root, then docs/CODEOWNERS. Use team references (@your-org/team-name) not individual usernames — teams survive when people leave.

Add * @your-org/team-platform at the top of CODEOWNERS as a catch-all. Any file without a more specific owner falls back to this team.

Example: /services/ @your-org/team-backend, /src/frontend/ @your-org/team-frontend, /terraform/ @your-org/team-devops, **/migrations/ @your-org/team-dba. Last matching rule in the file wins.

Teams listed in CODEOWNERS must have at least Write permission on the repository. If they have Read-only, they cannot approve the PR. GitHub will silently ignore missing permissions.

CODEOWNERS auto-assigns reviewers but doesn't enforce them unless this branch protection setting is on. Without it, the review request is a suggestion, not a requirement.

Use trigger: pull_request with types: [opened, synchronize, reopened] targeting your main branch. Run lint and tests as separate jobs so failures are clearly identified.

Job names in your workflow file become status check names in the format 'Workflow Name / job-name'. Go to branch protection → Require status checks and search for your job names. They must have run at least once to appear.

Commit a .github/dependabot.yml file. Set package-ecosystem to npm (or your language), directory to /, and schedule interval to weekly. Keeps dependencies automatically updated with auto-PRs.

Instead of uses: actions/checkout@v4, use uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683. Pinning to a SHA prevents a supply-chain attack where a tag is silently updated to malicious code.

Repository Settings → Environments. Create staging and production environments. For production: add Required reviewers (1-2 leads), restrict deployment branches to main only, set a Wait timer of 10-30 minutes.

GitHub Apps use short-lived tokens (1 hour), have fine-grained permissions, and survive when team members leave. Classic PATs are tied to a person — if they leave, the integration breaks.

Repository Settings → Advanced Security → Enable Dependabot alerts, then Enable Dependabot security updates. You'll receive PRs automatically when a dependency has a known vulnerability.

Repository Settings → Advanced Security → Enable secret scanning. Then enable Push protection to block commits that contain secrets before they are pushed. Catches accidental API key commits.

Repository Settings → Code Security → Set up → Default. GitHub auto-configures CodeQL for your language. Scans run on PRs and report security vulnerabilities as check results. Free for public repos.

Add a SECURITY.md file to the root (or .github/) describing your responsible disclosure process and who to contact for security issues. GitHub shows it in the Security tab.

Go to app.gitmore.io → Add Integration → Authenticate with GitHub. Connect all active repositories — including infrastructure and config repos. Gitmore uses webhooks and never accesses your source code.

Create a dedicated #engineering-reports Slack channel. Set up daily summaries delivered each morning so your team starts the day with visibility into yesterday's commits, PRs merged, and open reviews.

Configure weekly reports delivered to your manager, PM, or stakeholders. Gitmore's AI summarises commits and PRs into plain English — no git knowledge required to understand the update.

Gitmind is Gitmore's AI chat agent. Ask questions like 'What did the backend team ship this week?' or 'Which PRs are still waiting for review?' directly in Slack or the dashboard.