GitHub Development and Collaboration

GitHub stopped being a Git host years ago. Treating it as one — push, pull request, merge, done — leaves most of the platform unused and most of the compliance machinery unbuilt. The articles in this collection treat GitHub as the delivery and governance plane it has become: branch protection as a technical control, Actions as the CI/CD substrate, Issues and Discussions as the audit-trail of design decisions, and CODEOWNERS as the enforcement surface for “who is allowed to approve what.”

Branch protection is where the line between process and control gets drawn. “We trust our developers” is not a control mechanism in any serious change-management audit; required reviews, required status checks, restrictions on who can push, and signed-commit enforcement are. Getting from one to the other inside a single GitHub repository takes hours, not quarters, and it converts ISO/IEC 27001 change-control evidence from “we have a wiki page” into screenshots of enforced policy.

Actions is the operational counterpart. Workflow files in .github/workflows, reusable workflows for the patterns repeated across repositories, OIDC federation to Azure or AWS instead of long-lived secrets, and environment protection rules that require a human approval before production deployment — together these replace the bespoke CI servers most organisations are still paying to maintain. The pieces are individually well-documented; the value is in composing them so they enforce policy rather than describe it.

The collection also covers the supply-chain side: Dependabot for routine dependency updates, the dependency review action as a PR-time gate, secret scanning push protection that prevents committing credentials in the first place, and automation patterns like dependamerge that keep the volume of bot-generated noise from drowning out human work. Finally, the AI-assisted workflows — Copilot, custom instructions, repository-level guidance — are covered with the same scepticism as everything else: useful, but not a substitute for the underlying controls.

dependamerge-action: Automated Dependency Merging

dependamerge-action

In software development, dependencies are inevitable - any project worth its salt relies on various libraries, frameworks, or packages. However, as I found in my own work, managing these dependencies can be an onerous task. Constant updates, new vulnerabilities, and endless manual approvals were draining my time and focus. What if, I thought, these processes could be automated? This thought led to the creation of dependamerge, a GitHub Action designed to free developers from the drudgery of manual dependency maintenance and let us get back to what we do best: building great software.