GitHub Development and Collaboration

GitHub stopped being a Git host years ago. Treating it as one — push, pull request, merge, done — leaves most of the platform unused and most of the compliance machinery unbuilt. The articles in this collection treat GitHub as the delivery and governance plane it has become: branch protection as a technical control, Actions as the CI/CD substrate, Issues and Discussions as the audit-trail of design decisions, and CODEOWNERS as the enforcement surface for “who is allowed to approve what.”

Branch protection is where the line between process and control gets drawn. “We trust our developers” is not a control mechanism in any serious change-management audit; required reviews, required status checks, restrictions on who can push, and signed-commit enforcement are. Getting from one to the other inside a single GitHub repository takes hours, not quarters, and it converts ISO/IEC 27001 change-control evidence from “we have a wiki page” into screenshots of enforced policy.

Actions is the operational counterpart. Workflow files in .github/workflows, reusable workflows for the patterns repeated across repositories, OIDC federation to Azure or AWS instead of long-lived secrets, and environment protection rules that require a human approval before production deployment — together these replace the bespoke CI servers most organisations are still paying to maintain. The pieces are individually well-documented; the value is in composing them so they enforce policy rather than describe it.

The collection also covers the supply-chain side: Dependabot for routine dependency updates, the dependency review action as a PR-time gate, secret scanning push protection that prevents committing credentials in the first place, and automation patterns like dependamerge that keep the volume of bot-generated noise from drowning out human work. Finally, the AI-assisted workflows — Copilot, custom instructions, repository-level guidance — are covered with the same scepticism as everything else: useful, but not a substitute for the underlying controls.

247 Strangers Have Root Access to Your Production

Your organization has a thorough vendor approval process. Procurement forms. Security questionnaires. Legal reviews lasting months. Then your developers run npm install and pull 247 packages from strangers on the internet—and nobody blinks. That’s the supply chain security paradox most teams live with daily. This guide shows you how to implement Dependabot, dependency review, and SBOM generation as the defensive controls they should be—not as checkbox compliance theater.

Trust Is Not a Control: ISO 27001 Compliance via GitHub

Process documents don’t impress auditors. “We trust our developers” isn’t a control mechanism. ISO 27001 demands technical enforcement, not organizational promises. This guide shows how GitHub branch protection, CODEOWNERS, and environment protection transform compliance from checkbox theater into system enforced reality with a six week implementation path.

Instruction by Design: Transforming ADRs into Actionable AI Guidance

Discover how to transform architectural decision records (ADRs) into actionable, AI-ready guidance for teams and copilots—boosting consistency, onboarding, and automation in your development workflow.

How to Use Copilot Without Becoming Its Puppet

In a previous article, we laid it out – unfiltered: Copilot turns junior devs into syntax secretaries.

Not because it’s evil. But because it removes friction before understanding.

It gives you working code before you know what working even means. It creates the illusion of progress, while slowly eroding the very skills that define a software engineer: reasoning, decision-making, and technical ownership.

Copilot Turns Junior Devs Into Syntax Secretaries

The hype around GitHub Copilot (or any other AI code assistant) is deafening. AI-assisted coding. Effortless automation. 10x productivity.

But here’s the harsh truth: Copilot isn’t empowering junior developers – it’s deskilling them.