GitHub governance reference links I share with teams
After almost every governance conversation, I get the same follow-up question: “Can you send the links again?”, so here are some common references around different topics:
- Enterprise governance foundations
- GitHub Actions governance and supply chain controls
- GitHub Advanced Security
- GitHub Copilot governance Of course these can be combined with other best practices, like the GitHub Well Architected Framework, GitHub Security Lab, and GitHub Security Advisories.
Enterprise governance foundations
If you are still shaping your platform baseline, these are the references I send first:
- GitHub Advisory Database
- GitHubs magic files — the hidden config files GitHub looks for in your repos
- LinkedIn Learning: 25 GitHub configuration files you should be using
- GitHub Access Tokens explained — PATs, fine-grained tokens, and when to use which
- Working with GitHub secrets without admin rights
- Configuration as Code for the GitHub platform — automating user onboarding, team creation, and repository setup
GitHub Actions governance and supply chain controls
For Actions, I focus on dependency trust, update control, and visibility:
- Using GitHub Actions with Security in Mind (session recording)
- Maturity levels of using GitHub Actions securely — an 8-level framework from version pinning to a full request process
- GitHub Actions & Security: Best practices - Forking Action repositories
- Setup an internal GitHub Actions Marketplace
- How GitHub Actions versioning works
- Analyzing the GitHub marketplace — dependency security is a big issue
- Really keeping your GitHub Actions usage secure — written after the tj-actions supply chain compromise
- Book: GitHub Actions in Action on Manning.com — co-authored, includes the security chapters
GitHub Advanced Security
- Conference session: Protect your code with GitHub security features (YouTube)
- GHAS code security configurations — rolling out GHAS policies across an org with the new configuration UI
- Dependabot alert triaging in GitHub — hidden UI filters that make alert triage much faster
- Making the case for GitHub’s Secret scanning — analysis of 14,000 forked repos that found 1,300+ exposed secrets
- LinkedIn Learning: GitHub Advanced Security — my course covering Dependabot, CodeQL, and secret scanning
- LinkedIn Learning: GitHub Advanced Security for Azure DevOps — the same pillars but inside Azure DevOps pipelines
Copilot governance
This is the section teams ask for most right now:
- Successfully scaling GitHub Copilot to thousands of developers (GitHub Universe 2024) — slides and recording from my session
- GitHub Copilot Premium Requests — model multipliers, per-plan allowances, and budget controls
- AI Billing and Business Value
- AI Engineering Fluency — VS Code extension that tracks token usage, model choices, and fluency score
- Book: The GitHub Copilot Handbook (Packt)
- LinkedIn Learning: Responsible GitHub Copilot: Creating Reliable Code Ethically
- Xebia Copilot metrics dashboard (admin insights)
- Xebia Copilot premium request and usage overviews
- Copilot updates and announcements
- GitHub Copilot model changes notifier
- GitHub Copilot Extensions — how to build and govern extensions in Copilot Chat
- GitHub Copilot App is now in Technical Preview
Copilot security and governance research
- Running MCP servers securely (research notes)
- Where the GitHub Copilot extension points break governance — CLI plugins, local extensions, APM, gh skill, MCP servers, and VS Code registries