Quarterly ORG_SETTINGS.md Audit — 2026-Q3
Per ORG_SETTINGS.md, the intended GitHub org and repo
configuration must be compared against live settings once per quarter.
Checklist
After the audit
- Approved changes to
ORG_SETTINGS.md → PR reviewed by @nyuchi/maintainers.
- Unapproved drift → fix live GitHub settings immediately.
- Close this issue with a comment summarising what was checked and any drift
found or corrected.
Opened automatically by .github/workflows/scheduled-settings-audit.yml.
Quarterly ORG_SETTINGS.md Audit — 2026-Q3
Per ORG_SETTINGS.md, the intended GitHub org and repo
configuration must be compared against live settings once per quarter.
Checklist
ORG_SETTINGS.md§Organization-level settings against Settings → Code security and analysis.
In particular: confirm secret scanning non-provider patterns are enabled
org-wide, not only for public repos.
uses:in.github/workflows/reusable-*.ymlappears in the allowlist atSettings → Actions → General → Allowed actions. Run the audit
grep from §Actions permissions to catch new entries.
github-rulesets/against liveSettings → Rules → Rulesets. Note any approved drift.
matches the pinned commit; check for any tag-ref (
@v4) that slipped pastreview, per NA-03 §7.1.1.
TURBO_TOKENandTURBO_TEAMare current;confirm no long-lived cloud credentials have been added.
Settings → Verified & approved domains.
with merge rights) been met? If yes, update
required_approving_review_countto 1 in
github-rulesets/and re-apply via thegh apicommands in§Enforcement and audit.
security. Confirm GitHub Artifact Attestations are being generated on releases
via
reusable-slsa-provenance.ymlor the attestation step inreusable-release.yml.After the audit
ORG_SETTINGS.md→ PR reviewed by@nyuchi/maintainers.found or corrected.
Opened automatically by
.github/workflows/scheduled-settings-audit.yml.