template repo<\/a> with protection rules.<\/p>\n\n\n\n\ud83e\uddfe Step 6: Enable Audit Logging (Enterprise)<\/h3>\n\n\n\n Use case:<\/strong> Track changes, user actions, security breaches.<\/p>\n\n\n\nHow:<\/strong><\/p>\n\n\n\n\nGo to your GitHub Enterprise org > Settings<\/strong> > Audit Log<\/strong><\/li>\n\n\n\nFilter by event types, users, or repositories.<\/li>\n<\/ul>\n\n\n\n\ud83d\udcbc Section 4: Intermediate Policy Use Cases<\/strong><\/h2>\n\n\n\n\ud83c\udfaf 1. Restrict GitHub Actions Use<\/strong><\/h3>\n\n\n\nHow:<\/strong><\/p>\n\n\n\n\nGo to Settings<\/strong> > Actions<\/strong> > Policies\n\nAllow only internal actions<\/li>\n\n\n\n Restrict to specific workflows or runner groups<\/li>\n\n\n\n Require approval for external workflows<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n\ud83e\udde0 2. Limit GitHub App Installations<\/strong><\/h3>\n\n\n\nHow:<\/strong><\/p>\n\n\n\n\nGo to Settings<\/strong> > Third-party access<\/strong>\n\nAllow only approved GitHub Apps<\/li>\n\n\n\n Block unknown OAuth apps or PATs<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n\ud83d\udce6 3. Set Organization-wide Secrets<\/strong><\/h3>\n\n\n\nUse case:<\/strong> Provide centralized secrets for all CI\/CD.<\/p>\n\n\n\nHow:<\/strong><\/p>\n\n\n\n\nGo to Settings<\/strong> > Secrets and variables<\/strong>\n\nAdd Organization Secrets<\/strong> (e.g., AWS keys, API tokens)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n\ud83e\udde0 Section 5: Advanced Governance (Enterprise Tier)<\/strong><\/h2>\n\n\n\nIf you\u2019re using GitHub Enterprise Cloud<\/strong> or Enterprise Managed Users<\/strong>, here are advanced controls:<\/p>\n\n\n\n\ud83d\udd10 Enterprise Policies via GitHub CLI \/ API<\/h3>\n\n\n\n Example: Enforce 2FA using CLI<\/p>\n\n\n
gh api \\\n --method PATCH \\\n -H \"Accept: application\/vnd.github+json\"<\/span> \\\n \/orgs\/YOUR_ORG \\\n -f members_can_create_repositories=false<\/span>\n<\/code><\/span>Code language:<\/span> JavaScript<\/span> (<\/span>javascript<\/span>)<\/span><\/small><\/pre>\n\n\n\ud83c\udfdb\ufe0f GitHub Policy Service (beta\/enterprise)<\/h3>\n\n\n\n GitHub has an internal feature called Policy Service<\/strong> (in private beta) that allows defining JSON\/YAML-based policy rules<\/strong> like:<\/p>\n\n\nrequire_codeowners:\n enabled: true<\/span>\nrequire_pull_request_reviews<\/span>:\n required_approving_review_count: 2<\/span>\n<\/code><\/span>Code language:<\/span> JavaScript<\/span> (<\/span>javascript<\/span>)<\/span><\/small><\/pre>\n\n\nThese policies are applied org-wide for compliance automation.<\/p>\n\n\n\n
\ud83d\udca1 Real-World Use Cases<\/h2>\n\n\n\nUse Case<\/th> Policy\/Feature Required<\/th><\/tr><\/thead> Enforce 2FA for all members<\/td> Settings > Security<\/code><\/td><\/tr>Prevent unapproved GitHub Actions<\/td> Settings > Actions > Workflow Restrictions<\/code><\/td><\/tr>Centralized secrets for deployments<\/td> Organization > Secrets<\/code><\/td><\/tr>Standardize repo setup with templates<\/td> Repository Templates + Default Settings<\/code><\/td><\/tr>Enforce CI + code review<\/td> Branch Protection Rules<\/code><\/td><\/tr>Deny external OAuth apps<\/td> Third-party Access Settings<\/code><\/td><\/tr>Require CODEOWNERS for ownership<\/td> Branch Protection + CODEOWNERS file<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n\ud83d\udccc Best Practices<\/h2>\n\n\n\n\nUse Teams<\/strong> to manage access instead of individual users.<\/li>\n\n\n\nEnforce branch protection<\/strong> on main branches.<\/li>\n\n\n\nCreate a compliance repo<\/strong> documenting all policies.<\/li>\n\n\n\nUse Audit Logs<\/strong> to monitor suspicious activity.<\/li>\n\n\n\nKeep GitHub Apps and PATs tightly scoped.<\/li>\n\n\n\n Review member privileges<\/strong> quarterly.<\/li>\n<\/ul>\n\n\n\n\ud83d\udcda Bonus: GitHub CLI for Org Policies<\/h2>\n\n\n\n You can script organization policies with GitHub CLI:<\/p>\n\n\n