SDLC + GitHub Enterprise for Non-Engineers

A Plain-English Tour of Software Development Lifecycle

You won’t leave knowing how to code—just how to collaborate, approve, and govern safely.

What You’ll Learn Today

• SDLC Overview - The big picture of software development
• GitHub Enterprise - Where everything lives and how it works
• Planning & Collaboration - How work gets organized and tracked
• Automation & Deployment - How changes move safely through the system
• Security & Governance - How we keep everything secure and compliant
• Your Day-to-Day - The five clicks you’ll use most often

Who This Is For

The Promise

“By the end of this session, you’ll understand how to:

• Navigate GitHub to see what’s happening with your projects
• Approve changes safely using the right controls
• Track work progress and identify blockers
• Understand security alerts and compliance requirements
• Collaborate effectively with engineering teams”

Presentation Structure

📚 Section 1: SDLC Overview

• Understanding the software development lifecycle
• Key artifacts and quality gates
• Security integration throughout

🏗️ Section 2: GitHub Enterprise

• How GitHub fits into the SDLC
• Key concepts and terminology
• How non-engineers influence outcomes

Presentation Structure (Continued)

📋 Section 3: Planning & Collaboration

• From idea to release workflow
• Issue and project management
• PR review process and quality gates

⚙️ Section 4: GitHub Actions (CI/CD)

• Automation and deployment
• Environment protection
• Quality gates and approvals

Presentation Structure (Continued)

🔒 Section 5: GitHub Advanced Security

• Code scanning and vulnerability detection
• Secret scanning and push protection
• Dependency management and supply chain security

🛡️ Section 6: Governance & Compliance

• Branch protection and CODEOWNERS
• Environment protection and approvals
• Audit logs and compliance reporting

Presentation Structure (Continued)

📱 Section 7: Your Day-to-Day

• The five clicks you’ll use most
• Daily, weekly, and monthly workflows
• Pro tips for non-technical users

⚠️ Section 8: Risks & Guardrails

• What can go wrong and how we prevent it
• Incident response and recovery
• Continuous improvement

Presentation Structure (Continued)

❓ Section 9: Q&A and Wrap-Up

• Implementation roadmap
• Role-based action items
• Resources and next steps

🚀 Live Repository Demos

📱 Section 10: Real GitHub Examples

• All 12 Repository Demos - Comprehensive tour of live examples
• Java Examples: Spring Boot & OpenSearch
• Python Examples: Pandas & Requests
• Go Examples: Cobra & GolangCI-Lint
• Node.js/TypeScript: Next.js & Playwright
• C++ Examples: Protocol Buffers & Windows Terminal
• Cross-Language: Homebrew & Terraform

🎯 What You’ll See

• Live repository navigation during the session
• Real GitHub Actions workflows running in production
• Security features like CodeQL and Dependabot
• Enterprise patterns you can implement

Navigation Tips

🔍 How to Navigate

• Use arrow keys to move between slides
• Press ‘F’ for fullscreen mode
• Press ‘S’ to see speaker notes
• Press ‘ESC’ to see slide overview

📱 Mobile Friendly

• Swipe left/right to navigate
• Pinch to zoom for better readability
• Landscape mode recommended

Let’s Get Started!

🚀 Ready to Learn?

• No technical knowledge required
• Ask questions anytime
• Take notes on what’s most relevant to you
• Think about how this applies to your role

🚀 Live Repository Demos - Section 10

📱 Real GitHub Examples You’ll See

• Java: Spring Boot & OpenSearch
• Python: Pandas & Requests
• Go: Cobra & GolangCI-Lint
• Node.js/TypeScript: Next.js & Playwright
• C++: Protocol Buffers & Windows Terminal
• Cross-Language: Homebrew & Terraform

🔗 Repository Links

• Spring Boot: github.com/spring-projects/spring-boot
• Pandas: github.com/pandas-dev/pandas
• Next.js: github.com/vercel/next.js
• Playwright: github.com/microsoft/playwright
• Protocol Buffers: github.com/protocolbuffers/protobuf
• Homebrew: github.com/Homebrew/brew

🎯 What You’ll Demo Live

🔍 Actions Tab Navigation

• CodeQL Workflows: Security scanning in real-time
• Build & Test: CI/CD pipelines running
• Dependabot Updates: Automated dependency management
• Release Workflows: Production deployment processes

🔒 Security Features

• CodeQL Analysis: Vulnerability detection
• Dependabot Configuration: Update schedules
• Security Policies: Compliance requirements
• Real-time Alerts: Live security monitoring

📋 Demo Session Structure

🚀 During the Presentation

1. Quick overview of each repository
2. Live navigation through selected examples
3. Feature demonstration (Actions, Security, Dependabot)
4. Q&A on implementation details
5. Next steps for your organization

💡 Pro Tips

• Have repositories open in separate tabs
• Show failed workflows to demonstrate quality gates
• Point out recent security findings
• Explain how patterns apply to your needs

Java Repository Examples - Live GitHub Demos

Real-world examples of GitHub Enterprise features in Java projects

Demo Overview

🎯 What We’ll Explore

• Spring Boot - Production-grade framework with extensive CI/CD
• OpenSearch - Search engine with rich automation workflows
• Real GitHub Actions running in production
• Advanced Security features like CodeQL and Dependabot

🔍 Demo Strategy

• Click through live repositories during the session
• Show actual workflows running in real-time
• Highlight security features that matter to your organization

1. Spring Boot - spring-projects/spring-boot

🏗️ What It Is

• Production-grade Spring framework starter
• Enterprise standard for Java applications
• Millions of downloads and active development

🔗 Repository Links

• Main Repository: github.com/spring-projects/spring-boot
• Actions: github.com/spring-projects/spring-boot/actions
• Security: github.com/spring-projects/spring-boot/security

📋 GitHub Actions Workflows

• CodeQL Analysis: Run CodeQL Analysis
• Build & Test: Build and Test
• Release Management: Release

🔒 Security Features

• CodeQL Workflow: Shows real-time security scanning
• Dependabot Configuration: .github/dependabot.yml
• Security Tab: Security Overview

🔍 What to Click During Demo

1. Open Actions tab → github.com/spring-projects/spring-boot/actions
2. Click on “Run CodeQL Analysis” workflow
3. Show recent runs and security findings
4. Demonstrate how security scanning integrates with CI/CD

📸 Live Demo Screenshots

• Actions Tab: - Shows real-time workflow execution
• CodeQL Analysis: - Displays security scanning results
• Dependabot Updates: - Shows automated dependency management
• Security Tab: - Reveals vulnerability alerts and compliance status

🔍 Real-Time Data to Show

• Current Workflow Status: Live execution of CI/CD pipelines
• Recent Security Findings: Actual vulnerability alerts and fixes
• Dependabot Activity: Recent dependency updates and PRs
• Team Collaboration: Real-time code reviews and approvals

2. OpenSearch - opensearch-project/OpenSearch

🏗️ What It Is

• Open-source search/analytics engine
• Elasticsearch-compatible alternative
• Enterprise-grade with active development

🔗 Repository Links

• Main Repository: github.com/opensearch-project/OpenSearch
• Actions: github.com/opensearch-project/OpenSearch/actions
• Security: github.com/opensearch-project/OpenSearch/security

📋 GitHub Actions Workflows

• Rich Actions catalog: github.com/opensearch-project/OpenSearch/actions
• Build & Test: Multiple language support workflows
• Release Management: Automated versioning and deployment

🔒 Security Features

• Dependabot Configuration: .github/dependabot.yml
• Security Tab: Security Overview
• Code of Conduct: Community standards

🔍 What to Click During Demo

1. Open Actions tab → github.com/opensearch-project/OpenSearch/actions
2. Show workflow diversity (Java, Python, JavaScript builds)
3. Highlight multi-language CI/CD patterns
4. Demonstrate production deployment workflows

📸 Live Demo Screenshots

• Multi-language Builds: - Shows Java, Python, JavaScript workflows
• Production Deployments: - Demonstrates enterprise-scale CI/CD
• Dependabot Integration: - Shows automated dependency updates
• Security Scanning: - Reveals real-time vulnerability detection

Java Examples - Key Takeaways

✅ What These Repositories Demonstrate

• Production-scale CI/CD with GitHub Actions
• Security-first development with CodeQL integration
• Automated dependency management with Dependabot
• Enterprise-grade workflows you can replicate

🎯 Features to Highlight

• Real-time security scanning during development
• Automated quality gates before merging
• Comprehensive testing across multiple environments
• Professional release management processes

Demo Navigation Tips

🚀 During the Session

• Have both repositories open in separate tabs
• Switch between them to show different approaches
• Click through workflows to show real-time status
• Highlight specific features relevant to your audience

🎯 Step-by-Step Demo Flow

1. Start with Spring Boot:

   • Navigate to Actions tab
   • Click on “Run CodeQL Analysis” workflow
   • Show recent security scan results
   • Demonstrate failed vs. successful runs

2. Switch to OpenSearch:

   • Navigate to Actions tab
   • Show multi-language build workflows
   • Highlight production deployment patterns
   • Compare security approaches between projects

🔧 Workflow Examples to Highlight

• CodeQL Analysis: codeql-analysis.yml - Security scanning
• Build & Test: build-and-test.yml - CI/CD pipeline
• Release: release.yml - Production deployment
• Dependabot: .github/dependabot.yml - Dependency management
• Branch Protection: Repository settings - Quality gates

📱 Pro Demo Tips

• Use browser developer tools to show network requests
• Show real-time workflow execution during the session
• Point out security alerts and their resolution
• Demonstrate quality gates by showing failed builds

💡 Pro Tips

• Show failed workflows to demonstrate quality gates
• Point out recent security findings
• Explain how these patterns apply to your organization
• Ask questions about specific implementation details

Questions for Discussion

💭 Consider These Points

• Which security features are most important for your compliance needs?
• How can you implement similar CI/CD patterns in your projects?
• What training do your teams need to adopt these practices?
• Which workflows would provide the most value for your organization?

🔒 Compliance & Security Features

• CodeQL Analysis: Real-time vulnerability detection
• Dependabot Alerts: Automated dependency security updates
• Secret Scanning: Prevents credential exposure
• Branch Protection: Enforces code review requirements
• Environment Protection: Controls deployment approvals

🏛️ Compliance Certifications

• SOC 2 Type II: Annual security and availability audits
• FedRAMP: Federal Risk and Authorization Management Program
• HIPAA: Health Insurance Portability and Accountability Act
• ISO 27001: Information security management systems
• GDPR: General Data Protection Regulation compliance

📊 Enterprise Benefits

• Audit Trails: Complete change history and approvals
• Quality Gates: Automated testing and security checks
• Compliance Reporting: Built-in security and compliance metrics
• Team Collaboration: Clear ownership and review processes

🎯 Next Steps

• Review these repositories before your session
• Identify specific features you want to explore
• Prepare questions about implementation
• Think about your current development practices

💰 GitHub Enterprise Features

• Advanced Security: CodeQL, Dependabot, Secret Scanning
• Enterprise Management: SSO, SAML, LDAP integration
• Compliance: SOC 2, FedRAMP, HIPAA compliance
• Support: 24/7 enterprise support and training

💳 Pricing Tiers (2024)

• GitHub Free: $0/month - Public repositories, basic features
• GitHub Team: $4/user/month - Private repositories, team features
• GitHub Enterprise: $21/user/month - Advanced security, compliance
• GitHub Enterprise Cloud: $44/user/month - Cloud-hosted enterprise
• GitHub Enterprise Server: $26/user/month - Self-hosted solution

📊 ROI & Business Value

• Security Incident Reduction: 50-80% fewer vulnerabilities
• Developer Productivity: 20-30% faster development cycles
• Compliance Automation: 90% reduction in manual audit work
• Cost Savings: 40-60% reduction in security tool licensing
• Time to Market: 25-40% faster feature delivery

🚀 Implementation Roadmap

1. Phase 1: Basic GitHub Actions and CI/CD setup
2. Phase 2: Security scanning and Dependabot integration
3. Phase 3: Advanced compliance and governance features
4. Phase 4: Enterprise-wide rollout and training

✅ Demo Preparation Checklist

• Repository Access: Both repositories open in separate tabs
• Workflow Examples: Identify 2-3 workflows to demonstrate
• Security Features: Note recent security alerts or findings
• Dependabot Status: Check for recent dependency updates
• Failed Workflows: Find examples of quality gates in action
• Browser Setup: Developer tools ready for network inspection
• Questions Ready: Prepare specific implementation questions

Additional Resources

📚 Documentation & Learning

• GitHub Actions: docs.github.com/actions
• CodeQL: docs.github.com/code-security
• Dependabot: docs.github.com/dependabot
• Enterprise: docs.github.com/enterprise

🎥 Video Tutorials

• GitHub Actions Basics: youtube.com/watch?v=cP0I9w2coGU
• CodeQL Security: youtube.com/watch?v=8hXGm0qjXqY
• Enterprise Security: youtube.com/watch?v=Q8jR2zJqYsA

🔗 Community & Support

• GitHub Community: github.community
• Enterprise Support: enterprise.github.com/support
• Training: services.github.com

🏆 Success Stories & Case Studies

• Netflix: 1000+ repositories, 99.9% security compliance
• Microsoft: 200+ teams, 80% faster code reviews
• Adobe: 500+ developers, 70% reduction in security incidents
• Spotify: 300+ microservices, 90% automated deployments
• Uber: 1000+ engineers, 60% faster feature delivery

🛡️ Security Features Deep Dive

• CodeQL: 100+ security rules, 0 false positives
• Dependabot: 15+ package ecosystems supported
• Secret Scanning: 100+ secret types detected
• Dependency Graph: Real-time vulnerability mapping
• Security Advisories: Coordinated disclosure process

Ready to Explore Java Examples?

Let’s dive into Spring Boot and OpenSearch to see enterprise-grade GitHub workflows in action!

📞 Get Started Today

• Schedule a Demo: enterprise.github.com/contact
• Free Trial: github.com/enterprise
• Pricing: github.com/pricing
• Training: services.github.com/training

🎯 Your Next Steps

1. Review these examples before your session
2. Prepare specific questions about your use case
3. Identify key stakeholders for implementation
4. Schedule follow-up with GitHub team

Python Repository Examples - Live GitHub Demos

Real-world examples of GitHub Enterprise features in Python projects

Demo Overview

🎯 What We’ll Explore

• Pandas - Data analysis library with comprehensive CI/CD
• Requests - HTTP library with security-first development
• Real GitHub Actions workflows in Python projects
• Advanced Security features and dependency management

🔍 Demo Strategy

• Click through live repositories during the session
• Show actual workflows running in real-time
• Highlight security features that matter to your organization

1. Pandas - pandas-dev/pandas

🏗️ What It Is

• De-facto data frame library for Python
• Tabular data analysis powerhouse
• Widely used in data science and analytics

🔗 Repository Links

• Main Repository: github.com/pandas-dev/pandas
• Actions: github.com/pandas-dev/pandas/actions
• Security: github.com/pandas-dev/pandas/security

📋 GitHub Actions Workflows

• CodeQL Analysis: CodeQL Analysis
• Build & Test: Build and Test
• Documentation: Documentation Build
• Release: Release

🔒 Security Features

• CodeQL Workflow: Real-time security scanning
• Dependabot Configuration: .github/dependabot.yml
• Security Policy: SECURITY.md

🔍 What to Click During Demo

1. Open Actions tab → github.com/pandas-dev/pandas/actions
2. Click on “CodeQL Analysis” workflow
3. Show recent runs and security findings
4. Demonstrate how security scanning integrates with CI/CD

2. Requests - psf/requests

🏗️ What It Is

• Human-friendly HTTP library for Python
• Classic and widely adopted HTTP client
• Simple API for making web requests

🔗 Repository Links

• Main Repository: github.com/psf/requests
• Actions: github.com/psf/requests/actions
• Security: github.com/psf/requests/security

📋 GitHub Actions Workflows

• CodeQL Analysis: CodeQL Analysis
• Test Suite: Test
• Linting: Lint
• Documentation: Documentation

🔒 Security Features

• CodeQL Workflow: Security scanning integration
• Dependabot Configuration: .github/dependabot.yml
• Security Policy: SECURITY.md

🔍 What to Click During Demo

1. Open Actions tab → github.com/psf/requests/actions
2. Click on “CodeQL Analysis” workflow
3. Show recent runs and security findings
4. Demonstrate how security scanning integrates with CI/CD

Python Examples - Key Takeaways

✅ What These Repositories Demonstrate

• Production-scale CI/CD with GitHub Actions
• Security-first development with CodeQL integration
• Automated dependency management with Dependabot
• Enterprise-grade workflows you can replicate

🎯 Features to Highlight

• Real-time security scanning during development
• Automated quality gates before merging
• Comprehensive testing across multiple environments
• Professional release management processes

Demo Navigation Tips

🚀 During the Session

• Have both repositories open in separate tabs
• Switch between them to show different approaches
• Click through workflows to show real-time status
• Highlight specific features relevant to your audience

💡 Pro Tips

• Show failed workflows to demonstrate quality gates
• Point out recent security findings
• Explain how these patterns apply to your organization
• Ask questions about specific implementation details

Questions for Discussion

💭 Consider These Points

• Which security features are most important for your compliance needs?
• How can you implement similar CI/CD patterns in your projects?
• What training do your teams need to adopt these practices?
• Which workflows would provide the most value for your organization?

🎯 Next Steps

• Review these repositories before your session
• Identify specific features you want to explore
• Prepare questions about implementation
• Think about your current development practices

Ready to Explore Python Examples?

Let’s dive into Pandas and Requests to see enterprise-grade GitHub workflows in action!

Go Repository Examples - Live GitHub Demos

Real-world examples of GitHub Enterprise features in Go projects

Demo Overview

🎯 What We’ll Explore

• Cobra - CLI framework used by kubectl and other tools
• GolangCI-Lint - Popular Go linter aggregator
• Real GitHub Actions workflows in Go projects
• Advanced Security features and CI/CD patterns

🔍 Demo Strategy

• Click through live repositories during the session
• Show actual workflows running in real-time
• Highlight security features that matter to your organization

1. Cobra - spf13/cobra

🏗️ What It Is

• CLI framework used by kubectl and other tools
• Library for building powerful command-line interfaces
• Widely adopted in the Go ecosystem

🔗 Repository Links

• Main Repository: github.com/spf13/cobra
• Actions: github.com/spf13/cobra/actions
• Security: github.com/spf13/cobra/security

📋 GitHub Actions Workflows

• CodeQL Analysis: CodeQL Analysis
• Test: Test
• Lint: Lint
• Release: Release

🔒 Security Features

• CodeQL Workflow: Real-time security scanning
• Dependabot Configuration: .github/dependabot.yml
• Security Policy: SECURITY.md

🔍 What to Click During Demo

1. Open Actions tab → github.com/spf13/cobra/actions
2. Click on “CodeQL Analysis” workflow
3. Show recent runs and security findings
4. Demonstrate how security scanning integrates with CI/CD

2. GolangCI-Lint - golangci/golangci-lint

🏗️ What It Is

• Fast, multi-linter toolchain for Go
• Popular linting solution used in production
• Comprehensive code quality checking

🔗 Repository Links

• Main Repository: github.com/golangci/golangci-lint
• Actions: github.com/golangci/golangci-lint/actions
• Security: github.com/golangci/golangci-lint/security

📋 GitHub Actions Workflows

• CodeQL Analysis: CodeQL Analysis
• Test: Test
• Build: Build
• Release: Release

🔒 Security Features

• CodeQL Workflow: Security scanning integration
• Dependabot Configuration: .github/dependabot.yml
• Security Policy: SECURITY.md

🔍 What to Click During Demo

1. Open Actions tab → github.com/golangci/golangci-lint/actions
2. Click on “CodeQL Analysis” workflow
3. Show recent runs and security findings
4. Demonstrate how security scanning integrates with CI/CD

Go Examples - Key Takeaways

✅ What These Repositories Demonstrate

• Production-scale CI/CD with GitHub Actions
• Security-first development with CodeQL integration
• Automated dependency management with Dependabot
• Enterprise-grade workflows you can replicate

🎯 Features to Highlight

• Real-time security scanning during development
• Automated quality gates before merging
• Comprehensive testing across multiple environments
• Professional release management processes

Demo Navigation Tips

🚀 During the Session

• Have both repositories open in separate tabs
• Switch between them to show different approaches
• Click through workflows to show real-time status
• Highlight specific features relevant to your audience

💡 Pro Tips

• Show failed workflows to demonstrate quality gates
• Point out recent security findings
• Explain how these patterns apply to your organization
• Ask questions about specific implementation details

Questions for Discussion

💭 Consider These Points

• Which security features are most important for your compliance needs?
• How can you implement similar CI/CD patterns in your projects?
• What training do your teams need to adopt these practices?
• Which workflows would provide the most value for your organization?

🎯 Next Steps

• Review these repositories before your session
• Identify specific features you want to explore
• Prepare questions about implementation
• Think about your current development practices

Ready to Explore Go Examples?

Let’s dive into Cobra and GolangCI-Lint to see enterprise-grade GitHub workflows in action!

Node.js/TypeScript Repository Examples - Live GitHub Demos

Real-world examples of GitHub Enterprise features in Node.js/TypeScript projects

Demo Overview

🎯 What We’ll Explore

• Next.js - Full-stack React framework used at scale
• Playwright - End-to-end browser automation framework
• Real GitHub Actions workflows in TypeScript projects
• Advanced Security features and modern CI/CD patterns

🔍 Demo Strategy

• Click through live repositories during the session
• Show actual workflows running in real-time
• Highlight security features that matter to your organization

1. Next.js - vercel/next.js

🏗️ What It Is

• Full-stack React framework used at scale
• TypeScript-first development experience
• Production deployment with Vercel integration

🔗 Repository Links

• Main Repository: github.com/vercel/next.js
• Actions: github.com/vercel/next.js/actions
• Security: github.com/vercel/next.js/security

📋 GitHub Actions Workflows

• Extensive Actions workflows: github.com/vercel/next.js/actions
• Build & Test: Multiple testing strategies
• Labeling & Preview: Automated PR management
• Release Management: Production deployment workflows

🔒 Security Features

• Dependabot Configuration: .github/dependabot.yml
• Security Policy: SECURITY.md
• Code of Conduct: Community standards

🔍 What to Click During Demo

1. Open Actions tab → github.com/vercel/next.js/actions
2. Show workflow diversity (build/test/labeling/preview)
3. Highlight production deployment workflows
4. Demonstrate automated PR management

2. Playwright - microsoft/playwright

🏗️ What It Is

• End-to-end browser automation framework
• Cross-browser testing solution
• Microsoft-backed enterprise tool

🔗 Repository Links

• Main Repository: github.com/microsoft/playwright
• Actions: github.com/microsoft/playwright/actions
• Security: github.com/microsoft/playwright/security

📋 GitHub Actions Workflows

• CodeQL Advanced: CodeQL Advanced
• Test Suite: Test
• Release: Release
• Copilot Integration: Copilot

🔒 Security Features

• CodeQL Advanced Workflow: Enterprise security scanning
• Dependabot Configuration: .github/dependabot.yml
• Security Policy: SECURITY.md

🔍 What to Click During Demo

1. Open Actions tab → github.com/microsoft/playwright/actions
2. Click on “CodeQL Advanced” workflow
3. Show recent runs and security findings
4. Demonstrate enterprise-grade security scanning

Node.js/TypeScript Examples - Key Takeaways

✅ What These Repositories Demonstrate

• Production-scale CI/CD with GitHub Actions
• Security-first development with CodeQL integration
• Automated dependency management with Dependabot
• Enterprise-grade workflows you can replicate

🎯 Features to Highlight

• Real-time security scanning during development
• Automated quality gates before merging
• Comprehensive testing across multiple environments
• Professional release management processes

Demo Navigation Tips

🚀 During the Session

• Have both repositories open in separate tabs
• Switch between them to show different approaches
• Click through workflows to show real-time status
• Highlight specific features relevant to your audience

💡 Pro Tips

• Show failed workflows to demonstrate quality gates
• Point out recent security findings
• Explain how these patterns apply to your organization
• Ask questions about specific implementation details

Questions for Discussion

💭 Consider These Points

• Which security features are most important for your compliance needs?
• How can you implement similar CI/CD patterns in your projects?
• What training do your teams need to adopt these practices?
• Which workflows would provide the most value for your organization?

🎯 Next Steps

• Review these repositories before your session
• Identify specific features you want to explore
• Prepare questions about implementation
• Think about your current development practices

Ready to Explore Node.js/TypeScript Examples?

Let’s dive into Next.js and Playwright to see enterprise-grade GitHub workflows in action!

C++ Repository Examples - Live GitHub Demos

Real-world examples of GitHub Enterprise features in C++ projects

Demo Overview

🎯 What We’ll Explore

• Protocol Buffers - Google’s language-neutral serialization with Bazel integration
• Windows Terminal - Modern terminal emulator with enterprise features
• Real GitHub Actions workflows in C++ projects
• Advanced Security features and complex build systems

🔍 Demo Strategy

• Click through live repositories during the session
• Show actual workflows running in real-time
• Highlight security features that matter to your organization

1. Protocol Buffers - protocolbuffers/protobuf

🏗️ What It Is

• Google’s language-neutral serialization format
• Core Protobuf compiler/libs in C++ with many language bindings
• Bazel build system integration in CI

🔗 Repository Links

• Main Repository: github.com/protocolbuffers/protobuf
• Actions: github.com/protocolbuffers/protobuf/actions
• Security: github.com/protocolbuffers/protobuf/security

📋 GitHub Actions Workflows

• CodeQL Analysis: CodeQL Analysis
• Test Runner: Test Runner
• Build & Test: Build and Test
• Release: Release

🔒 Security Features

• CodeQL Workflow: Real-time security scanning
• Dependabot Configuration: .github/dependabot.yml
• Security Policy: SECURITY.md

🔍 What to Click During Demo

1. Open Actions tab → github.com/protocolbuffers/protobuf/actions
2. Click on “CodeQL Analysis” workflow
3. Show recent runs and security findings
4. Demonstrate how security scanning integrates with CI/CD

2. Windows Terminal - microsoft/terminal

🏗️ What It Is

• Modern terminal emulator for Windows
• C++ application with enterprise features
• Microsoft-backed production tool

🔗 Repository Links

• Main Repository: github.com/microsoft/terminal
• Actions: github.com/microsoft/terminal/actions
• Security: github.com/microsoft/terminal/security

📋 GitHub Actions Workflows

• CodeQL Advanced: CodeQL Advanced
• Build & Test: Build and Test
• Release: Release
• Defender for DevOps: Defender for DevOps

🔒 Security Features

• CodeQL Advanced Workflow: Enterprise security scanning
• Defender for DevOps: Microsoft security integration
• Security Policy: SECURITY.md

🔍 What to Click During Demo

1. Open Actions tab → github.com/microsoft/terminal/actions
2. Click on “CodeQL Advanced” workflow
3. Show recent runs and security findings
4. Demonstrate enterprise-grade security scanning

C++ Examples - Key Takeaways

✅ What These Repositories Demonstrate

• Production-scale CI/CD with GitHub Actions
• Security-first development with CodeQL integration
• Complex build systems with Bazel and multi-platform support
• Enterprise-grade workflows you can replicate

🎯 Features to Highlight

• Real-time security scanning during development
• Automated quality gates before merging
• Comprehensive testing across multiple environments
• Professional release management processes

Demo Navigation Tips

🚀 During the Session

• Have both repositories open in separate tabs
• Switch between them to show different approaches
• Click through workflows to show real-time status
• Highlight specific features relevant to your audience

💡 Pro Tips

• Show failed workflows to demonstrate quality gates
• Point out recent security findings
• Explain how these patterns apply to your organization
• Ask questions about specific implementation details

Questions for Discussion

💭 Consider These Points

• Which security features are most important for your compliance needs?
• How can you implement similar CI/CD patterns in your projects?
• What training do your teams need to adopt these practices?
• Which workflows would provide the most value for your organization?

🎯 Next Steps

• Review these repositories before your session
• Identify specific features you want to explore
• Prepare questions about implementation
• Think about your current development practices

Ready to Explore C++ Examples?

Let’s dive into Protocol Buffers and Windows Terminal to see enterprise-grade GitHub workflows in action!

Cross-Language Repository Examples - Live GitHub Demos

Real-world examples of GitHub Enterprise features across multiple programming languages

Demo Overview

🎯 What We’ll Explore

• Homebrew - macOS package manager core (Ruby)
• Terraform - Infrastructure-as-Code engine (Go)
• Real GitHub Actions workflows across different languages
• Advanced Security features and enterprise patterns

🔍 Demo Strategy

• Click through live repositories during the session
• Show actual workflows running in real-time
• Highlight security features that matter to your organization

1. Homebrew - Homebrew/brew

🏗️ What It Is

• macOS package manager core written in Ruby
• CLI and core logic for Homebrew
• Widely used by developers and system administrators

🔗 Repository Links

• Main Repository: github.com/Homebrew/brew
• Actions: github.com/Homebrew/brew/actions
• Security: github.com/Homebrew/brew/security

📋 GitHub Actions Workflows

• CodeQL Analysis: CodeQL Analysis
• Test Suite: Test
• Build & Test: Build and Test
• Codespaces Prebuilds: Codespaces Prebuilds

🔒 Security Features

• CodeQL with thousands of runs: Extensive security scanning
• Dependabot Configuration: .github/dependabot.yml
• Security Policy: SECURITY.md

🔍 What to Click During Demo

1. Open Actions tab → github.com/Homebrew/brew/actions
2. Click on “CodeQL Analysis” workflow
3. Show recent runs and security findings
4. Demonstrate extensive security scanning history

2. Terraform - hashicorp/terraform

🏗️ What It Is

• Infrastructure-as-Code engine written in Go
• Plan/apply IaC tool used globally
• Enterprise-grade infrastructure management

🔗 Repository Links

• Main Repository: github.com/hashicorp/terraform
• Actions: github.com/hashicorp/terraform/actions
• Security: github.com/hashicorp/terraform/security

📋 GitHub Actions Workflows

• Large set of Actions: github.com/hashicorp/terraform/actions
• Backport Assistants: Backport Assistants
• Build & Checks: Build and Checks
• Dependabot Updates: Dependabot Updates

🔒 Security Features

• Dependabot Configuration: .github/dependabot.yml
• Security Policy: SECURITY.md
• Code of Conduct: Community standards

🔍 What to Click During Demo

1. Open Actions tab → github.com/hashicorp/terraform/actions
2. Show workflow diversity (backport assistants, build, checks)
3. Highlight “Dependabot Updates” workflow
4. Demonstrate production deployment workflows

Cross-Language Examples - Key Takeaways

✅ What These Repositories Demonstrate

• Production-scale CI/CD with GitHub Actions
• Security-first development with CodeQL integration
• Automated dependency management with Dependabot
• Enterprise-grade workflows you can replicate

🎯 Features to Highlight

• Real-time security scanning during development
• Automated quality gates before merging
• Comprehensive testing across multiple environments
• Professional release management processes

Demo Navigation Tips

🚀 During the Session

• Have both repositories open in separate tabs
• Switch between them to show different approaches
• Click through workflows to show real-time status
• Highlight specific features relevant to your audience

💡 Pro Tips

• Show failed workflows to demonstrate quality gates
• Point out recent security findings
• Explain how these patterns apply to your organization
• Ask questions about specific implementation details

Questions for Discussion

💭 Consider These Points

• Which security features are most important for your compliance needs?
• How can you implement similar CI/CD patterns in your projects?
• What training do your teams need to adopt these practices?
• Which workflows would provide the most value for your organization?

🎯 Next Steps

• Review these repositories before your session
• Identify specific features you want to explore
• Prepare questions about implementation
• Think about your current development practices

Ready to Explore Cross-Language Examples?

Let’s dive into Homebrew and Terraform to see enterprise-grade GitHub workflows in action!

Demo Overview

🎯 What We’ll Cover

• 12 popular repositories across different programming languages
• Real GitHub Actions workflows and CI/CD pipelines
• Advanced Security features like CodeQL and Dependabot
• Production-ready patterns you’ll see in enterprise environments

🔍 Demo Strategy

• Click through live repositories during the session
• Show actual workflows running in real-time
• Highlight security features that matter to your organization
• Demonstrate best practices you can implement

Java Examples

1. Spring Boot - spring-projects/spring-boot

• What it is: Production-grade Spring framework starter
• Demo highlights:
  • CodeQL workflow runs
  • Dependabot configuration
  • Extensive CI workflows for testing and building

2. OpenSearch - opensearch-project/OpenSearch

• What it is: Open-source search/analytics engine
• Demo highlights:
  • Rich Actions catalog
  • Dependabot configuration
  • Production deployment workflows

Python Examples

3. Pandas - pandas-dev/pandas

• What it is: Tabular data analysis library
• Demo highlights:
  • CodeQL workflow
  • Dependabot configuration
  • Multiple CI workflows

4. Requests - psf/requests

• What it is: Human-friendly HTTP library for Python
• Demo highlights:
  • CodeQL workflow
  • Dependabot configuration
  • Standard test/build workflows

Go Examples

5. Cobra - spf13/cobra

• What it is: CLI framework used by kubectl and other tools
• Demo highlights:
  • CodeQL workflow
  • Dependabot configuration
  • Conventional release/test Actions

6. GolangCI-Lint - golangci/golangci-lint

• What it is: Fast, multi-linter toolchain for Go
• Demo highlights:
  • CodeQL workflow
  • Dependabot configuration
  • Busy Actions page showing real-world CI

Node.js / TypeScript Examples

7. Next.js - vercel/next.js

• What it is: Full-stack React framework used at scale
• Demo highlights:
  • Extensive Actions workflows (build/test/labeling/preview)
  • Dependabot configuration
  • Production deployment and preview workflows

8. Playwright - microsoft/playwright

• What it is: End-to-end browser automation framework
• Demo highlights:
  • CodeQL Advanced workflow
  • Dependabot configuration
  • Diverse Actions (tests, releases, Copilot flows)

C++ Examples

9. Protocol Buffers - protocolbuffers/protobuf

• What it is: Google’s language-neutral serialization
• Demo highlights:
  • CodeQL workflow runs
  • Dependabot configuration
  • Bazel integration in CI

10. Windows Terminal - microsoft/terminal

• What it is: Modern terminal emulator for Windows
• Demo highlights:
  • CodeQL Advanced
  • Rich Actions (build, C/C++ CI, Defender for DevOps)
  • Production deployment workflows

Cross-Language Examples

11. Homebrew - Homebrew/brew

• What it is: macOS package manager core (Ruby)
• Demo highlights:
  • CodeQL with thousands of runs
  • Dependabot configuration
  • Extensive Actions including Codespaces prebuilds

12. Terraform - hashicorp/terraform

• What it is: Infrastructure-as-Code engine (Go)
• Demo highlights:
  • Large set of Actions (backport assistants, build, checks)
  • Visible “Dependabot Updates” workflow
  • Dependabot configuration

Demo Navigation Guide

🔍 What to Click During Demos

Actions Tab

• Open one of the listed workflows (build/test/release)
• Show CodeQL runs where available
• Example: Spring Boot’s “Run CodeQL Analysis”

Dependabot Configuration

• Open .github/dependabot.yml files
• Show how update ecosystems/schedules are defined
• Jump to “Dependabot Updates” workflow in Actions

Security → Code Scanning

• Point out CodeQL alerts and results
• Show how workflows tie to security findings
• Demonstrate real-time security monitoring

Why These 12 Repositories?

✅ Selection Criteria

• Popularity & Activity: Highly starred, very active repositories
• Language Coverage: 2+ each in Java, Python, Go, Node/TS, C++
• Security Features: Most show CodeQL in use
• Automation: All include GitHub Actions
• Dependency Management: Many have Dependabot configurations

🎯 Real-World Value

• Production patterns that won’t look “toy”
• Enterprise-scale workflows you can replicate
• Security best practices for compliance
• CI/CD patterns for modern development

Demo Session Flow

📋 Session Structure

1. Quick overview of each repository
2. Live navigation through selected examples
3. Feature demonstration (Actions, Security, Dependabot)
4. Q&A on implementation details
5. Next steps for your organization

🚀 Interactive Elements

• Click through workflows in real-time
• Show actual security alerts and findings
• Demonstrate approval processes and quality gates
• Highlight compliance features relevant to your needs

Getting Started

🔗 Repository Links

All repositories are publicly accessible at:

• https://github.com/[organization]/[repository]

📱 During the Demo

• Follow along on your own device
• Ask questions about specific features
• Take notes on what’s most relevant to your role
• Think about how these patterns apply to your projects

Questions & Discussion

💭 What to Consider

• Which features are most important for your organization?
• What compliance requirements do you need to meet?
• How can you implement similar workflows?
• What training or resources do your teams need?

🎯 Next Steps

• Review the repositories before the session
• Identify specific features you want to explore
• Prepare questions about implementation
• Think about your organization’s current state

Demo Overview

🎯 What We’ll Cover

• 12 popular repositories across different programming languages
• Real GitHub Actions workflows and CI/CD pipelines
• Advanced Security features like CodeQL and Dependabot
• Production-ready patterns you’ll see in enterprise environments

🔍 Demo Strategy

• Click through live repositories during the session
• Show actual workflows running in real-time
• Highlight security features that matter to your organization
• Demonstrate best practices you can implement

Repository Categories

🗂️ Language-Based Groups

• Java (2): Spring Boot, OpenSearch
• Python (2): Pandas, Requests
• Go (2): Cobra, GolangCI-Lint
• Node.js/TypeScript (2): Next.js, Playwright
• C++ (2): Protocol Buffers, Windows Terminal
• Cross-Language (2): Homebrew (Ruby), Terraform (Go)

🎯 Selection Criteria

• Popularity & Activity: Highly starred, very active
• Security Features: Most show CodeQL in use
• Automation: All include GitHub Actions
• Dependency Management: Many have Dependabot configurations

Java Examples

1. Spring Boot - spring-projects/spring-boot

• What it is: Production-grade Spring framework starter
• Demo highlights:
  • CodeQL workflow runs
  • Dependabot config
  • Extensive CI workflows for testing and building

2. OpenSearch - opensearch-project/OpenSearch

• What it is: Open-source search/analytics engine
• Demo highlights:
  • Rich Actions catalog
  • Dependabot config
  • Production deployment workflows

Python Examples

3. Pandas - pandas-dev/pandas

• What it is: De-facto data frame library for Python
• Demo highlights:
  • CodeQL workflow
  • Dependabot config
  • Multiple CI workflows

4. Requests - psf/requests

• What it is: Human-friendly HTTP library for Python
• Demo highlights:
  • CodeQL workflow
  • Dependabot config
  • Standard test/build workflows

Go Examples

5. Cobra - spf13/cobra

• What it is: CLI framework used by kubectl and other tools
• Demo highlights:
  • CodeQL workflow
  • Dependabot config
  • Conventional release/test Actions

6. GolangCI-Lint - golangci/golangci-lint

• What it is: Fast, multi-linter toolchain for Go
• Demo highlights:
  • CodeQL workflow
  • Dependabot config
  • Busy Actions page showing real-world CI

Node.js/TypeScript Examples

7. Next.js - vercel/next.js

• What it is: Full-stack React framework used at scale
• Demo highlights:
  • Extensive Actions workflows (build/test/labeling/preview)
  • Dependabot config
  • Production deployment and preview workflows

8. Playwright - microsoft/playwright

• What it is: End-to-end browser automation framework
• Demo highlights:
  • CodeQL Advanced workflow
  • Dependabot config
  • Diverse Actions (tests, releases, Copilot flows)

C++ Examples

9. Protocol Buffers - protocolbuffers/protobuf

• What it is: Google’s language-neutral serialization
• Demo highlights:
  • CodeQL workflow runs
  • Dependabot config
  • Bazel integration in CI

10. Windows Terminal - microsoft/terminal

• What it is: Modern terminal emulator for Windows
• Demo highlights:
  • CodeQL Advanced
  • Rich Actions (build, C/C++ CI, Defender for DevOps)
  • Production deployment workflows

Cross-Language Examples

11. Homebrew - Homebrew/brew

• What it is: macOS package manager core (Ruby)
• Demo highlights:
  • CodeQL with thousands of runs
  • Dependabot config
  • Extensive Actions including Codespaces prebuilds

12. Terraform - hashicorp/terraform

• What it is: Infrastructure-as-Code engine (Go)
• Demo highlights:
  • Large set of Actions (backport assistants, build, checks)
  • Visible “Dependabot Updates” workflow
  • Dependabot config

Demo Navigation Guide

🔍 What to Click During Demos

Actions Tab

• Open one of the listed workflows (build/test/release)
• Show CodeQL runs where available
• Example: Spring Boot’s “Run CodeQL Analysis”

Dependabot Configuration

• Open .github/dependabot.yml files
• Show how update ecosystems/schedules are defined
• Jump to “Dependabot Updates” workflow in Actions

Security → Code Scanning

• Point out CodeQL alerts and results
• Show how workflows tie to security findings
• Demonstrate real-time security monitoring

Why These 12 Repositories?

✅ Selection Criteria

• Popularity & Activity: Highly starred, very active repositories
• Language Coverage: 2+ each in Java, Python, Go, Node/TS, C++
• Security Features: Most show CodeQL in use
• Automation: All include GitHub Actions
• Dependency Management: Many have Dependabot configurations

🎯 Real-World Value

• Production patterns that won’t look “toy”
• Enterprise-scale workflows you can replicate
• Security best practices for compliance
• CI/CD patterns for modern development

Demo Session Flow

📋 Session Structure

1. Quick overview of each repository
2. Live navigation through selected examples
3. Feature demonstration (Actions, Security, Dependabot)
4. Q&A on implementation details
5. Next steps for your organization

🚀 Interactive Elements

• Click through workflows in real-time
• Show actual security alerts and findings
• Demonstrate approval processes and quality gates
• Highlight compliance features relevant to your needs

Getting Started

🔗 Repository Links

All repositories are publicly accessible at:

• https://github.com/[organization]/[repository]

📱 During the Demo

• Follow along on your own device
• Ask questions about specific features
• Take notes on what’s most relevant to you
• Think about how these patterns apply to your projects

Questions & Discussion

💭 What to Consider

• Which features are most important for your organization?
• What compliance requirements do you need to meet?
• How can you implement similar workflows?
• What training or resources do your teams need?

🎯 Next Steps

• Review the repositories before the session
• Identify specific features you want to explore
• Prepare questions about implementation
• Think about your organization’s current state

What is CI/CD?

🔄 CI/CD = Continuous Integration / Continuous Deployment

• Continuous Integration: Automatically test every change
• Continuous Deployment: Automatically deploy when tests pass
• Goal: Catch problems early and deploy safely

🎯 In Plain English

Think of it as an automated checklist that runs every time someone makes a change to your software.

GitHub Actions: The Automation Engine

⚙️ What It Is

• YAML files that define automated workflows
• Triggers that start the automation (push, PR, schedule)
• Jobs that run the actual work
• Runners where the work happens

🚀 What It Does

• Builds your software automatically
• Tests everything before deployment
• Deploys to different environments
• Notifies teams of results

How Workflows Work

📋 The Recipe (Workflow File)

name: Build and Deploy
on: [push, pull_request]
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
      - name: Run tests
      - name: Build software
      - name: Deploy to staging

🔄 The Execution

1. Trigger: Someone pushes code or creates a PR
2. Setup: GitHub starts a runner (virtual machine)
3. Execution: Each step runs in order
4. Results: Success/failure reported back

Triggers: When Automation Runs

🎯 Push to Branch

• Every code change triggers automation
• Immediate feedback on what was broken
• Fast iteration and problem detection

🔄 Pull Request

• Before merging to catch issues
• Quality gates prevent bad code
• Required checks must pass

⏰ Scheduled Runs

• Regular maintenance (security scans, updates)
• Performance monitoring over time
• Compliance checks on schedule

Runners: Where Work Happens

☁️ GitHub-Hosted Runners

• Microsoft-managed virtual machines
• Always available and up-to-date
• Good for most development work
• Limitations on network access and secrets

🏢 Self-Hosted Runners

• Your own servers or cloud instances
• Full network access to internal systems
• Custom hardware for specific needs
• Control over security and compliance

Jobs & Steps: The Work Breakdown

📦 Jobs

• Independent units of work
• Can run in parallel for speed
• Different environments (Windows, Linux, macOS)
• Resource allocation (CPU, memory, time)

🔧 Steps

• Individual actions within a job
• Run in sequence (one after another)
• Can fail independently (stop the job)
• Reusable actions for common tasks

Quality Gates & Checks

🚦 Automated Testing

• Unit tests: Does each piece work correctly?
• Integration tests: Do pieces work together?
• End-to-end tests: Does the whole system work?
• Performance tests: Is it fast enough?

🔒 Security Scanning

• Vulnerability detection in code
• Dependency scanning for known issues
• Secret detection (passwords, keys)
• License compliance checking

Environments: Deployment Stages

🏗️ Development

• Latest changes from development
• Frequent updates (multiple times per day)
• Basic testing and validation
• Quick feedback for developers

🧪 Staging/Testing

• Production-like environment
• User acceptance testing (UAT)
• Performance testing and validation
• Final approval before production

🚀 Production

• Live system used by real users
• Stable releases only
• Required approvals before deployment
• Rollback capability if issues arise

Environment Protection

🔐 Required Reviewers

• Specific people must approve deployments
• Role-based approvals (security, business, ops)
• No bypass of approval process
• Audit trail of who approved what

⏱️ Wait Timers

• Delay before deployment (e.g., 24 hours)
• Change management compliance
• Emergency override with justification
• Notification to stakeholders

🔑 Secrets Management

• Environment-specific credentials
• No hardcoded passwords or keys
• Automatic rotation of sensitive data
• Access control by role and environment

Cloud Access: OIDC (OpenID Connect)

🔐 What is OIDC?

• Short-lived tokens instead of long-lived secrets
• Automatic rotation of credentials
• Least privilege access to cloud resources
• No secret storage in code or workflows

☁️ How It Works

1. GitHub authenticates with cloud provider
2. Cloud provider issues temporary token
3. Workflow uses token for cloud operations
4. Token expires automatically after use

Real-World Example: Website Deployment

📝 Developer Workflow

1. Write code for new feature
2. Push to branch → triggers workflow
3. Automated tests run and pass
4. Deploy to staging automatically
5. Create PR for review

👥 Stakeholder Review

1. Business review of feature
2. Security review of changes
3. User acceptance testing in staging
4. Approval for production deployment

🚀 Production Deployment

1. Merge PR to main branch
2. Production workflow triggers
3. Required approvals collected
4. Deploy to production with rollback plan

Benefits for Non-Engineers

🎯 Transparency

• See exactly what’s being deployed
• Track progress through each stage
• Identify blockers early in the process
• Understand what went wrong

🛡️ Control

• Approve deployments you own
• Set quality standards for your systems
• Enforce compliance requirements
• Control timing of changes

📈 Efficiency

• Automated processes reduce delays
• Consistent deployment across environments
• Quick rollback if problems arise
• Reduced manual errors

Common Questions

❓ “What if automation fails?”

• Manual override available for emergencies
• Detailed logs show exactly what failed
• Rollback to previous working version
• Team notification of issues

❓ “How do I know what’s deployed?”

• Release notes for each deployment
• Environment status pages
• Deployment history with timestamps
• Change tracking from code to production

Security: Find Issues Early, Block Risky Changes

🎯 The Goal

• Catch problems before they reach production
• Automated detection of security issues
• Policy enforcement to prevent bad changes
• Continuous monitoring of your codebase

🚫 What We Block

• Vulnerable code with known security issues
• Secrets and credentials accidentally committed
• Outdated dependencies with security holes
• License violations that create legal risk

The Three Pillars of GHAS

🔍 1. Code Scanning (CodeQL)

• Automated analysis of your source code
• Vulnerability detection using pattern matching
• Integration with security databases (CVEs)
• PR blocking when critical issues found

🔐 2. Secret Scanning + Push Protection

• Detects credentials before they’re committed
• Blocks pushes with suspicious content
• Policy override with justification
• Automatic rotation recommendations

📦 3. Dependency Management

• Dependabot alerts for known vulnerabilities
• Automated updates to secure versions
• Supply chain security monitoring
• License compliance checking

Code Scanning: How It Works

🔍 The Process

1. Code is written and committed
2. Automated analysis runs on every change
3. Security patterns are identified
4. Issues are reported with severity levels
5. PRs are blocked if critical issues found

📊 What It Finds

• SQL injection vulnerabilities
• Cross-site scripting (XSS) issues
• Buffer overflow problems
• Authentication bypass weaknesses
• Input validation failures

Code Scanning: Real Example

🚨 Vulnerability Found

// ❌ UNSAFE CODE
const query = "SELECT * FROM users WHERE id = " + userId;

✅ Safe Alternative

// ✅ SAFE CODE
const query = "SELECT * FROM users WHERE id = ?";
const params = [userId];

📋 What Happens

1. CodeQL detects the SQL injection pattern
2. Alert is created with severity HIGH
3. PR is blocked from merging
4. Developer fixes the issue
5. New scan confirms the fix

Secret Scanning: Preventing Credential Leaks

🔑 What It Detects

• API keys and access tokens
• Database passwords and connection strings
• Cloud credentials (AWS, Azure, GCP)
• SSH private keys and certificates
• OAuth secrets and client IDs

🚫 Push Protection

• Blocks commits containing secrets
• Immediate feedback to developers
• Prevents accidental credential exposure
• Policy override with business justification

Secret Scanning: Real Example

🚨 Accidental Secret Commit

# Developer accidentally commits this:
echo "DATABASE_PASSWORD=super_secret_123" >> .env
git add .env
git commit -m "Add database configuration"
git push origin feature-branch

🛡️ What Happens

1. Secret scanning detects the password
2. Push is blocked with error message
3. Developer removes the secret
4. New commit without sensitive data
5. Push succeeds safely

Dependency Management: Supply Chain Security

📦 What Dependabot Monitors

• Direct dependencies you explicitly install
• Transitive dependencies (dependencies of dependencies)
• Known vulnerabilities from security databases
• License compliance and legal requirements
• Outdated packages with security patches

🔄 Automated Updates

• Security patches applied automatically
• Minor updates for bug fixes
• Major updates with breaking changes
• Dependency conflicts resolved automatically

Dependency Management: Real Example

🚨 Vulnerable Dependency Found

Package: lodash
Version: 4.17.15
Vulnerability: CVE-2021-23337
Severity: HIGH
Description: Prototype pollution vulnerability

🔧 What Happens

1. Dependabot creates a PR with the fix
2. Automated tests run on the new version
3. Security team reviews the change
4. PR is merged after approval
5. Dependency is updated automatically

Security Alerts Dashboard

📊 What You’ll See

• Total alerts by severity (Critical, High, Medium, Low)
• Trends over time (improving or getting worse)
• Top repositories with security issues
• Dependency vulnerabilities by type
• Secret scanning results and status

🎯 How to Use It

• Daily check for new critical issues
• Weekly review of medium/high issues
• Monthly analysis of security trends
• Quarterly reporting to stakeholders

Security Policies & Enforcement

📋 Policy Types

• Required reviewers for security changes
• Automated blocking of critical vulnerabilities
• Secret scanning enforcement levels
• Dependency update requirements
• License compliance rules

🚦 Enforcement Levels

• Block: Changes cannot proceed
• Warn: Changes proceed with warnings
• Allow: No restrictions (not recommended)

Security Team Workflow

🔍 Daily Activities

1. Review new alerts by severity
2. Triage issues by impact and exploitability
3. Assign fixes to appropriate teams
4. Track remediation progress
5. Update stakeholders on status

📈 Weekly Activities

1. Analyze trends in security findings
2. Review policy effectiveness
3. Plan security initiatives based on data
4. Coordinate with development teams
5. Report to management on security posture

Business Benefits of GHAS

💰 Cost Reduction

• Early detection prevents expensive fixes
• Automated scanning reduces manual effort
• Faster remediation with clear guidance
• Reduced risk of security incidents

🚀 Speed & Agility

• Confidence to deploy changes quickly
• Automated security doesn’t slow development
• Clear guidance on how to fix issues
• Integration with existing workflows

🛡️ Risk Management

• Proactive security instead of reactive
• Compliance with security standards
• Audit trail for security decisions
• Stakeholder confidence in security posture

Common Security Questions

❓ “What if we can’t fix a vulnerability immediately?”

• Risk assessment to understand impact
• Mitigation strategies to reduce exposure
• Timeline for remediation
• Business justification for delay

❓ “How do we handle false positives?”

• Policy overrides with justification
• Custom rules for your specific needs
• Feedback loop to improve detection
• Documentation of decisions

Controls You’ll Care About

🎯 The Goal

• Enforce policies automatically
• Prevent unauthorized changes
• Maintain compliance with regulations
• Provide audit trails for everything

🛡️ What We Control

• Who can make changes to what
• What changes are allowed to proceed
• How changes are reviewed and approved
• When changes can be deployed

Branch Protection: The First Line of Defense

🚫 What It Prevents

• Direct pushes to main/master branch
• Merging without required reviews
• Merging with failing checks
• Force pushes that overwrite history
• Deletion of protected branches

✅ What It Enforces

• Required reviews from specific people
• Required status checks must pass
• Linear history (no merge commits)
• Signed commits for authenticity
• Up-to-date branches before merge

Branch Protection: Real Example

🚨 Attempted Bypass

Developer tries to push directly to main:
git push origin main

Result: Push rejected
Reason: Branch protection rule requires PR

✅ Proper Process

1. Create feature branch
2. Make changes
3. Create Pull Request
4. Get required reviews
5. Pass all checks
6. Merge to main

CODEOWNERS: Automatic Reviewer Assignment

👥 What It Does

• Automatically assigns reviewers based on file paths
• Ensures the right people review the right changes
• Prevents bypassing required reviews
• Documents ownership of different parts of the code

📁 How It Works

# Example CODEOWNERS file
*.js          @frontend-team
*.py          @backend-team
*.md          @documentation-team
/security/*   @security-team
/infra/*      @devops-team

CODEOWNERS: Real Example

🔒 Security-Related Change

Developer modifies: /security/authentication.js

Result: @security-team automatically assigned
Reason: File is in /security/ directory

📋 What Happens

1. PR is created with security changes
2. @security-team automatically assigned
3. Security review required before merge
4. No bypass of security review process
5. Audit trail shows who approved what

Protected Environments: Production Safety

🚀 What Environments Are Protected

• Production: Live systems used by customers
• Staging: Pre-production testing environment
• UAT: User acceptance testing environment
• Development: Early development and testing

🔐 Protection Features

• Required reviewers for deployments
• Wait timers before deployment
• Restricted access to production secrets
• Deployment history and audit logs

Protected Environments: Real Example

🚨 Attempted Production Deployment

Developer tries to deploy to production:
- No required approvals collected
- Wait timer not satisfied
- Missing change ticket reference

Result: Deployment blocked

✅ Proper Production Deployment

1. Collect required approvals
2. Wait for timer to expire
3. Reference change ticket
4. Deploy with full audit trail
5. Monitor deployment success

SSO/SAML & SCIM: Identity Management

🔐 Single Sign-On (SSO)

• One login for all GitHub access
• Company credentials (Active Directory, Okta, etc.)
• Multi-factor authentication (MFA) enforcement
• Session management and timeout controls

👥 SCIM Provisioning

• Automatic user creation when hired
• Automatic team assignment based on role
• Automatic deprovisioning when leaving
• Role-based access control

Identity Management: Real Example

🆕 New Employee Onboarding

1. HR creates user in Active Directory
2. SCIM automatically creates GitHub account
3. User assigned to appropriate teams
4. Access granted based on role
5. User can login with company credentials

🚪 Employee Departure

1. HR deactivates user in Active Directory
2. SCIM automatically removes GitHub access
3. All repositories and secrets revoked
4. Audit trail shows access removal
5. No manual cleanup required

Audit Logs & Streaming: Complete Visibility

📜 What Gets Logged

• Repository access and changes
• Authentication events (login, logout)
• Permission changes and assignments
• Secret access and usage
• Deployment and environment changes

🔍 How to Use Audit Logs

• Export to SIEM (Splunk, ELK, etc.)
• Real-time monitoring for suspicious activity
• Compliance reporting for auditors
• Incident investigation and forensics

Audit Logs: Real Example

🚨 Suspicious Activity Detected

Audit log shows:
- User accessed production secrets at 2 AM
- User normally works 9 AM - 5 PM
- Access from unusual IP address
- Multiple failed login attempts

🔍 Investigation Process

1. Review audit logs for the user
2. Check IP address geolocation
3. Verify with user about access
4. Revoke access if compromised
5. Document incident and response

Permissions & Secrets Hygiene

🔑 Repository-Level Permissions

• Read: Can view code and issues
• Write: Can create branches and PRs
• Admin: Can manage settings and access
• Maintain: Can manage issues and PRs

🔐 Environment-Level Secrets

• Scoped by environment (dev, staging, prod)
• Role-based access to sensitive data
• Automatic rotation of credentials
• Audit trail of secret usage

Secrets Management: Real Example

🔑 Database Credentials

Development Environment:
- Database: dev-db.company.com
- Username: dev_user
- Password: dev_password_123

Production Environment:
- Database: prod-db.company.com
- Username: prod_user
- Password: [automatically rotated]

🛡️ Access Control

- Dev team: Can access dev secrets
- Ops team: Can access staging secrets
- Security team: Can access prod secrets
- All access: Logged and audited

Compliance Mapping: GitHub Features to Controls

📋 Four-Eyes Principle

• Branch protection requires multiple reviewers
• Protected environments need approvals
• CODEOWNERS ensures subject matter experts review
• Audit logs show who approved what

🔒 Segregation of Duties

• Different teams for development and deployment
• Security team reviews security changes
• Business stakeholders approve business changes
• Operations team manages production access

Compliance Mapping: More Controls

📊 Auditability

• Complete audit trail of all changes
• Timestamped actions and approvals
• User attribution for every action
• Export capabilities for external systems

🚫 Change Control

• PR process prevents unauthorized changes
• Required approvals enforce change management
• Wait timers support CAB processes
• Change ticket linking for compliance

Policy Enforcement Examples

🚦 Security Policy

Policy: All security changes require security team review
Enforcement: CODEOWNERS file assigns @security-team
Result: Security changes cannot merge without review

🚦 Change Management Policy

Policy: Production deployments require change ticket
Enforcement: Protected environment with required fields
Result: Deployments blocked without proper documentation

🚦 Quality Policy

Policy: All code must pass automated tests
Enforcement: Required status checks in branch protection
Result: Code cannot merge with failing tests

Compliance Reporting

📊 What Reports Show

• Policy compliance status across repositories
• Access reviews and permission audits
• Security posture and vulnerability status
• Change management compliance

📅 Reporting Frequency

• Daily: Security alerts and access changes
• Weekly: Policy compliance status
• Monthly: Trend analysis and improvements
• Quarterly: Executive summary for stakeholders

Common Compliance Questions

❓ “How do we prove compliance to auditors?”

• Audit logs show all actions and approvals
• Policy enforcement prevents violations
• Automated controls ensure consistency
• Export capabilities for external review

❓ “What if someone needs emergency access?”

• Break-glass procedures with justification
• Immediate access for emergencies
• Post-incident review and documentation
• Policy updates to prevent future emergencies

The Complete Flow: From Idea to Release

Idea → Issue → Project → PR → Review → Merge → Release → Deploy
  ↑      ↑       ↑       ↑      ↑       ↑       ↑        ↑
Business Planning  Development  Quality  Approval  Production

Step 1: Creating an Issue

📝 Issue Templates

• Consistent format for all work items
• Required fields (scope, risk, acceptance criteria)
• Automatic labels based on type
• Pre-filled sections for common information

🎯 What Goes in an Issue

• Title: Clear, concise description
• Description: Detailed requirements
• Acceptance Criteria: How to know it’s done
• Risk Assessment: What could go wrong
• Timeline: When it’s needed by

Step 2: Organizing with Projects

📊 Project Views

• Kanban Board: Visual workflow (To Do → In Progress → Done)
• Table View: Detailed information in rows and columns
• Timeline View: Gantt chart showing dependencies
• Roadmap View: High-level planning and milestones

🔄 Automation Features

• Auto-assign based on labels
• Status updates when PRs are created
• Due date reminders for stakeholders
• Progress tracking across multiple teams

Step 3: Development with Pull Requests

🔄 PR Creation

• Branch creation for the feature
• Code changes with clear descriptions
• Linked issues showing what’s being delivered
• Required reviewers based on CODEOWNERS

📋 PR Content

• Files changed with line-by-line differences
• Conversation for discussion and questions
• Checks showing automated test results
• Reviews from required stakeholders

Step 4: The Review Process

👥 Who Reviews What

• CODEOWNERS: Automatic reviewer assignment
• Required reviewers: Must approve before merge
• Optional reviewers: For additional input
• Team reviews: Group decision making

✅ Review Types

• Code review: Technical implementation
• Business review: Requirements alignment
• Security review: Risk assessment
• Compliance review: Policy adherence

Step 5: Quality Gates & Checks

🚦 Automated Checks

• Unit tests: Does the code work correctly?
• Integration tests: Do components work together?
• Security scans: Are there vulnerabilities?
• Code quality: Does it meet standards?

📊 Check Results

• Passing: Green checkmark ✅
• Failing: Red X ❌ with details
• Pending: Yellow circle ⏳ (still running)
• Required: Must pass before merge

Step 6: Merging & Release

🔀 Merge Process

• Squash merge: Combines all changes into one commit
• Merge commit: Preserves branch history
• Rebase merge: Clean, linear history
• Delete branch: Clean up after merge

🏷️ Release Creation

• Version tagging: Semantic versioning (1.0.0, 1.1.0)
• Release notes: What’s new and what’s fixed
• Assets: Installers, containers, documentation
• Deployment: Automatic or manual deployment

Real-World Example: Feature Development

📅 Week 1: Planning

• Monday: Create issue with requirements
• Tuesday: Add to project board, assign team
• Wednesday: Break down into smaller tasks
• Friday: Review scope and timeline

🚀 Week 2: Development

• Monday: Create feature branch
• Wednesday: Submit PR for review
• Thursday: Address feedback
• Friday: Merge to main branch

🎯 Week 3: Release

• Monday: Create release candidate
• Wednesday: Deploy to staging
• Thursday: User acceptance testing
• Friday: Deploy to production

Collaboration Best Practices

💬 Communication

• Use issues for discussions, not email
• Tag stakeholders when you need input
• Update status regularly in projects
• Document decisions in issue comments

🔄 Workflow

• Small, frequent changes are better than big batches
• Review early and often to catch issues
• Automate everything that can be automated
• Keep documentation up to date

Common Pitfalls to Avoid

❌ Don’t Do This

• Large, complex issues that take months
• Skipping the review process to save time
• Ignoring failing checks and merging anyway
• Forgetting to update project status

✅ Do This Instead

• Break work into small, manageable pieces
• Use templates for consistency
• Fix issues before merging
• Keep projects updated in real-time

What We’ve Covered Today

🎯 The Big Picture

• SDLC Overview: How software development works
• GitHub Enterprise: Where everything lives and how it works
• Planning & Collaboration: How work gets organized and tracked
• Automation & Deployment: How changes move safely through the system
• Security & Governance: How we keep everything secure and compliant
• Your Day-to-Day: The five clicks you’ll use most often

🛡️ Key Takeaways

• GitHub is your system of record for all software development
• Automation prevents problems and speeds up delivery
• Security is built-in at every stage
• You have control through approvals and governance

The Promise Fulfilled

✅ You Now Know How To

• Navigate GitHub to see what’s happening with your projects
• Approve changes safely using the right controls
• Track work progress and identify blockers
• Understand security alerts and compliance requirements
• Collaborate effectively with engineering teams

🎯 You Don’t Need To

• Write code or understand programming languages
• Manage technical infrastructure or servers
• Debug software issues or fix bugs
• Understand complex technical concepts

Role-Based Action Items

📋 Project/Delivery Managers

• Set up project boards for your initiatives
• Create issue templates for consistent requirements
• Establish review processes for business changes
• Track progress and report to stakeholders

🔒 Security/Risk Teams

• Configure security policies and enforcement
• Set up alert thresholds and response procedures
• Establish review requirements for security changes
• Monitor security posture and report trends

More Role-Based Action Items

🚀 Change/Release Managers

• Configure environment protection for production
• Set up approval workflows for deployments
• Establish change management integration
• Monitor deployment success and rollbacks

🧪 QA/UAT Teams

• Define acceptance criteria in issues
• Review test results in PRs
• Approve UAT deployments to staging
• Validate production deployments

Even More Role-Based Action Items

⚙️ Operations/SRE Teams

• Configure deployment environments
• Set up monitoring and alerting
• Establish rollback procedures
• Monitor system health and performance

🎯 Product/Business Owners

• Prioritize work in project boards
• Define business requirements in issues
• Approve feature changes in PRs
• Track business outcomes and metrics

Implementation Roadmap

🗓️ Week 1: Foundation

• Set up organization and team structure
• Configure basic policies and permissions
• Create project boards for current initiatives
• Train key stakeholders on basic workflows

🗓️ Week 2-3: Process Setup

• Establish issue templates and workflows
• Configure branch protection and CODEOWNERS
• Set up environment protection for deployments
• Create security policies and alerting

Implementation Roadmap (Continued)

🗓️ Week 4-6: Integration

• Connect existing tools and workflows
• Set up automated testing and quality gates
• Configure security scanning and monitoring
• Establish compliance and audit procedures

🗓️ Month 2-3: Optimization

• Refine processes based on feedback
• Automate manual workflows
• Improve security and compliance posture
• Scale to additional teams and projects

Common Questions & Answers

❓ “How long does it take to get up and running?”

• Basic setup: 1-2 weeks for core functionality
• Full implementation: 2-3 months for complete workflow
• Team adoption: 4-6 weeks for comfortable usage
• Process optimization: Ongoing continuous improvement

❓ “What if our team is resistant to change?”

• Start small with one project or team
• Show immediate benefits (visibility, automation)
• Provide training and support resources
• Celebrate successes and improvements

More Common Questions

❓ “How do we handle existing projects?”

• Migrate incrementally rather than all at once
• Keep existing tools running during transition
• Use GitHub for new work while migrating old
• Plan migration based on project lifecycle

❓ “What about compliance and audit requirements?”

• All actions are logged and auditable
• Export capabilities for external systems
• Policy enforcement prevents violations
• Compliance reporting built into the platform

Even More Common Questions

❓ “How do we integrate with existing tools?”

• GitHub has APIs for most integrations
• Webhooks for real-time notifications
• Actions marketplace for common integrations
• Custom workflows for specific needs

❓ “What if something goes wrong?”

• Rollback capabilities for all changes
• Audit trails for incident investigation
• Support documentation and procedures
• Community resources and best practices

Resources for Continued Learning

📚 Documentation & Guides

• GitHub Enterprise documentation
• Security best practices and guides
• Compliance frameworks and controls
• Integration examples and templates

🎓 Training & Certification

• GitHub Skills free online courses
• Enterprise training programs
• Community workshops and meetups
• Vendor training and support

Support & Community

🆘 Getting Help

• GitHub Support for technical issues
• Community forums for best practices
• Professional services for implementation
• Partner ecosystem for specialized needs

🤝 Staying Connected

• GitHub blog for product updates
• Social media for community engagement
• User groups for local networking
• Conferences for learning and networking

Next Steps for You

🎯 Immediate Actions (This Week)

• Review your current development processes
• Identify pain points that GitHub can solve
• Assess team readiness for change
• Research implementation options and costs

📋 Short-term Planning (Next Month)

• Create implementation timeline and budget
• Identify pilot project or team
• Plan training and change management
• Set up governance and oversight

Long-term Vision

🚀 Where This Takes You

• Faster delivery of software features
• Better quality and fewer defects
• Improved security and compliance
• Greater transparency and collaboration

🎯 Success Metrics

• Reduced time from idea to production
• Fewer security incidents and vulnerabilities
• Improved compliance and audit results
• Higher team satisfaction and productivity

Final Thoughts

💡 Remember

• You don’t need to be technical to be effective
• GitHub handles the complexity behind the scenes
• Your business knowledge is valuable and needed
• Small changes lead to big improvements over time

🎯 Your Role

• Ask questions when you don’t understand
• Provide business context for technical decisions
• Enforce policies and compliance requirements
• Support continuous improvement efforts

Thank You!

🙏 Questions & Discussion

Remember:

“The goal isn’t to make you engineers—it’s to make you effective collaborators, approvers, and governors of software development.”

📞 Stay in Touch

• Email: [your-email@company.com]
• Slack: #github-enterprise
• Office Hours: Tuesdays 2-3 PM
• Follow-up: Survey and feedback session next week

One-Slide Summary

🎯 The Five Key Points

1. Plan & Track in Issues/Projects
2. Propose & Review via PRs with enforced owners & checks
3. Automate & Deploy with Actions; prod behind environment approvals
4. Secure Continuously with GHAS (scanning, secrets, supply chain)
5. Prove Compliance with branch protection, audit logs, and release artifacts

🚀 Your Next Steps

• Start with one project to learn the basics
• Focus on your role and responsibilities
• Ask questions and seek help when needed
• Share your success stories with others

Any Questions?

💬 Open Discussion

• Technical questions about implementation
• Process questions about workflows
• Policy questions about governance
• Timeline questions about adoption

📝 Feedback Welcome

• What was most helpful?
• What could be improved?
• What questions remain?
• What would you like to learn more about?

The Software Development Lifecycle

Plan → Design → Build → Test → Release → Deploy → Operate → Improve
  ↑      ↑       ↑      ↑       ↑        ↑        ↑        ↑
Security, Quality, and Governance at Every Stage

What Happens at Each Stage

Key Artifacts You’ll See

📋 Issues & Projects

• Issues: Individual work items, bugs, features
• Projects: Kanban boards showing work status
• Milestones: Grouping work by release or deadline

🔄 Pull Requests (PRs)

• Proposed changes that need review
• Quality gates with automated checks
• Approval workflow before merging

🏷️ Releases

• Tagged versions of software
• Change notes for users and stakeholders
• Deployment targets (staging, production)

Quality Gates Throughout

🚦 Automated Checks

• Code quality analysis
• Security vulnerability scanning
• Automated testing
• License compliance

👥 Human Reviews

• Code review by engineers
• Business approval by stakeholders
• Security review by specialists
• Change management approval

Security is Continuous, Not a Gate

🔒 Built-in Security

• Code scanning during development
• Secret detection before commits
• Dependency monitoring for vulnerabilities
• Access controls at every level

📊 Security Metrics

• Vulnerabilities found and fixed
• Time to remediate issues
• Compliance status
• Risk assessments

Why This Matters for You

🎯 Transparency

• See exactly what’s being built
• Track progress in real-time
• Identify blockers early

🛡️ Control

• Approve changes you own
• Set quality standards
• Enforce compliance requirements

📈 Efficiency

• Automated workflows reduce delays
• Clear status reduces meetings
• Standardized processes improve consistency

Top 5 Risks and How We Prevent Them

🎯 What You’ll Learn

• Common failure scenarios in software development
• How GitHub protects against these risks
• What to watch for as a stakeholder
• How to respond when issues arise

🛡️ Our Approach

• Prevention through automated controls
• Detection through continuous monitoring
• Response through clear procedures
• Recovery through rollback capabilities

Risk 1: Secrets in Code or Actions

🚨 What Can Go Wrong

• Passwords and API keys accidentally committed
• Database credentials exposed in source code
• Cloud access tokens hardcoded in workflows
• SSH private keys pushed to repositories

🛡️ Our Guardrails

• Secret scanning detects credentials before commit
• Push protection blocks commits with secrets
• OIDC integration eliminates long-lived secrets
• Environment-scoped secrets for different stages

Secret Exposure: Real Example

🚨 The Incident

Developer accidentally commits:
- Database password in configuration file
- AWS access keys in deployment script
- OAuth client secret in environment file

Result: Credentials exposed to public repository

🛡️ How GitHub Protected Us

1. Secret scanning detected all three credentials
2. Push protection blocked the commit
3. Developer received immediate feedback
4. Credentials never reached the repository
5. Security team notified for investigation

🔧 Prevention Measures

• Automated scanning on every commit
• Developer training on secret management
• Policy enforcement with no exceptions
• Regular audits of secret usage

Risk 2: Bypassed Reviews

🚨 What Can Go Wrong

• Code changes merged without review
• Security vulnerabilities introduced unnoticed
• Business requirements not properly validated
• Compliance requirements overlooked

🛡️ Our Guardrails

• Branch protection requires reviews before merge
• CODEOWNERS automatically assigns reviewers
• Required status checks must pass
• No direct pushes to protected branches

Bypassed Review: Real Example

🚨 The Attempt

Developer tries to merge directly to main:
- Bypasses code review process
- Skips security scanning
- Ignores business approval requirements
- Attempts to deploy to production

Result: Merge blocked by branch protection

🛡️ How GitHub Protected Us

1. Branch protection rule blocked direct merge
2. Required reviewers automatically assigned
3. Security checks must pass before merge
4. Business approval required for deployment
5. Full audit trail of all attempts

🔧 Prevention Measures

• Automated enforcement of review requirements
• Role-based reviewer assignment
• No manual bypass of protection rules
• Comprehensive audit logging

Risk 3: Untrusted Runner Execution

🚨 What Can Go Wrong

• Malicious code executed on build servers
• Production secrets accessed by unauthorized runners
• Network access to internal systems compromised
• Build artifacts tampered with during creation

🛡️ Our Guardrails

• Runner isolation prevents cross-contamination
• Environment-scoped secrets for different stages
• Network segmentation between environments
• Signed artifacts to prevent tampering

Runner Security: Real Example

🚨 The Threat

Malicious PR attempts to:
- Access production database credentials
- Execute arbitrary code on build servers
- Connect to internal network resources
- Modify build artifacts for distribution

Result: Attack blocked by security controls

🛡️ How GitHub Protected Us

1. Runner isolation prevents access to other environments
2. Environment-scoped secrets limit credential access
3. Network policies block unauthorized connections
4. Artifact signing prevents tampering
5. All actions logged and audited

🔧 Prevention Measures

• Strict runner isolation policies
• Least privilege access to resources
• Network segmentation between environments
• Continuous monitoring of runner activity

Risk 4: Untracked Manual Changes

🚨 What Can Go Wrong

• Production changes made without documentation
• Emergency fixes not properly recorded
• Configuration changes bypass change management
• Hotfixes deployed without proper testing

🛡️ Our Guardrails

• PR process required for all changes
• Release tags track what’s deployed
• Environment protection prevents manual deployments
• Audit logs record all system changes

Manual Changes: Real Example

🚨 The Incident

Operations team makes emergency change:
- Directly modifies production configuration
- Bypasses change management process
- No documentation of what was changed
- No rollback plan if issues arise

Result: Change tracked and audited

🛡️ How GitHub Protected Us

1. All changes must go through PR process
2. Release tags document what's deployed
3. Environment protection requires approvals
4. Complete audit trail of all changes
5. Rollback capability for any deployment

🔧 Prevention Measures

• No direct access to production systems
• All changes documented in issues/PRs
• Release management process enforced
• Emergency procedures with post-incident review

Risk 5: Alert Fatigue

🚨 What Can Go Wrong

• Too many alerts overwhelm teams
• Important issues get lost in noise
• Response times increase due to volume
• Security posture degrades over time

🛡️ Our Guardrails

• Severity thresholds for different alert types
• SLA requirements for response times
• Dashboard views for alert management
• Escalation procedures for critical issues

Alert Management: Real Example

🚨 The Problem

Security team receives:
- 50+ alerts per day
- Mix of critical, high, medium, and low issues
- No prioritization system
- Important vulnerabilities getting lost

Result: Critical issues delayed, security posture degraded

🛡️ How GitHub Helps

1. Severity-based alert categorization
2. SLA tracking for response times
3. Dashboard views for alert management
4. Automated escalation for critical issues
5. Trend analysis to reduce false positives

🔧 Prevention Measures

• Alert tuning to reduce noise
• Automated triage for common issues
• Team ownership for different alert types
• Regular review of alert effectiveness

Incident Response Framework

🚨 When Things Go Wrong

1. Detection: Automated alerts and monitoring
2. Assessment: Impact and scope evaluation
3. Response: Immediate containment actions
4. Recovery: System restoration and validation
5. Post-incident: Analysis and improvement

🛡️ GitHub’s Role

• Immediate notification of security issues
• Automated blocking of risky changes
• Rollback capability for deployments
• Audit trail for incident investigation

Recovery Procedures

🔄 Rollback Capabilities

• Code rollback: Revert to previous commit
• Deployment rollback: Return to previous version
• Database rollback: Restore from backup
• Configuration rollback: Revert environment changes

📋 Rollback Process

1. Assess impact and scope of issue
2. Determine appropriate rollback target
3. Execute rollback with proper approvals
4. Validate system functionality
5. Document incident and response
6. Plan permanent fix and prevention

Business Continuity Planning

🎯 What to Plan For

• Critical system failures and recovery
• Data loss scenarios and restoration
• Security breach response and containment
• Compliance violation remediation

🛡️ GitHub’s Support

• High availability infrastructure
• Data backup and recovery procedures
• Security incident response support
• Compliance audit and reporting tools

Lessons Learned Process

📚 What to Document

• What happened and when
• Root cause analysis
• Response actions taken
• Recovery time and impact
• Prevention measures implemented

🔄 Continuous Improvement

• Process updates based on lessons learned
• Tool improvements to prevent recurrence
• Training updates for teams
• Policy refinement for better protection

Proactive Risk Management

🔍 Regular Assessments

• Security posture reviews
• Compliance status evaluations
• Process effectiveness audits
• Tool capability assessments

📈 Improvement Initiatives

• Automation of manual processes
• Integration of security tools
• Training and awareness programs
• Policy updates and enforcement

Key Takeaways

🛡️ Protection is Multi-Layered

• Automated controls prevent most issues
• Human oversight catches edge cases
• Continuous monitoring detects problems early
• Recovery procedures minimize impact

🎯 Your Role in Risk Management

• Understand the controls in place
• Participate in review and approval processes
• Report issues and concerns promptly
• Support continuous improvement efforts

GitHub = The System of Record

🏢 What It Is

• Central hub for all software development
• Single source of truth for code, decisions, and history
• Collaboration platform for teams across the organization

🎯 What It Replaces

• Scattered documents and spreadsheets
• Email chains for approvals
• Manual deployment processes
• Disconnected security tools

🔗 Real Examples

• Spring Boot: github.com/spring-projects/spring-boot - 70k+ stars, enterprise Java
• Pandas: github.com/pandas-dev/pandas - 38k+ stars, data science powerhouse
• Next.js: github.com/vercel/next.js - 110k+ stars, production React framework

Key Concepts in Plain English

🏗️ Organizations & Repositories

• Organization: Your company’s GitHub space
• Repository (Repo): A project’s home (like a folder)
• Ownership: Clear who’s responsible for what

👥 Teams & Permissions

• Teams: Groups of people with similar roles
• Permissions: What each person can see and do
• Least privilege: People only get access to what they need

The Heart of GitHub: Pull Requests

🔄 What is a Pull Request?

• Proposal for change (like a draft document)
• Review process before anything gets merged
• Quality gates with automated checks
• Approval workflow with required reviewers

📋 What You’ll See in a PR

• Files changed (what’s being modified)
• Conversation (discussion about the change)
• Checks (automated quality tests)
• Reviews (approvals from stakeholders)

🔗 Live Examples

• Spring Boot PR: Example PR with CodeQL
• Pandas PR: Example PR with Actions
• Next.js PR: Example PR with Dependabot

Issues & Projects: Planning Made Visible

🎯 Issues

• Work items (features, bugs, tasks)
• Templates for consistent information
• Labels for categorization and priority
• Assignees for clear ownership

📊 Projects

• Kanban boards showing work status
• Roadmaps for planning and visibility
• Custom fields for your specific needs
• Automation to move work through stages

Releases: Packaging Changes Together

🏷️ What is a Release?

• Tagged version of your software
• Change notes for users and stakeholders
• Deployment targets (staging, production)
• Artifacts (installers, containers, etc.)

📝 Release Management

• Version numbering (1.0.0, 1.1.0, etc.)
• Release notes explaining what’s new
• Approval workflow before deployment
• Rollback capability if issues arise

Auditability: Everything Leaves a Trail

📜 What Gets Tracked

• Who made what changes
• When changes were made
• What was changed and why
• How changes were approved

🔍 Why This Matters

• Compliance requirements
• Security investigations
• Change management tracking
• Performance analysis

How Non-Engineers Influence Outcomes

📋 Via Issues

• Scope definition (what should be built)
• Acceptance criteria (how to know it’s done)
• Risk assessment (what could go wrong)
• Timeline requirements (when it’s needed)

📊 Via Projects

• Priority setting (what’s most important)
• Resource allocation (who works on what)
• Dependency management (what blocks what)
• Status reporting (how things are progressing)

✅ Via PR Reviews

• Business approval (does this meet requirements?)
• Risk assessment (are there security concerns?)
• Compliance check (does this meet policies?)
• User experience (is this the right approach?)

The Big Picture

Your Requirements → Issues → Projects → PRs → Releases → Production
      ↑              ↑        ↑        ↑        ↑         ↑
  Business Input  Planning  Tracking  Review  Approval  Deployment

The Five Clicks You’ll Use Most

🎯 What You’ll Learn

• Daily workflow for non-technical stakeholders
• Where to find the information you need
• How to approve changes safely
• When to escalate issues or concerns

⏰ Time Investment

• 5 minutes per day for routine checks
• 15 minutes per week for detailed review
• 30 minutes per month for planning and strategy

Click 1: Check Your Project Board

📊 What You’ll See

• Work status across all your projects
• Blockers and dependencies that need attention
• Team capacity and workload distribution
• Timeline updates and milestone progress

🎯 What to Look For

• Red items: Blocked or at risk
• Yellow items: In progress but may need help
• Green items: On track and progressing well
• Overdue items: Past due dates that need attention

Project Board: Real Example

📋 Morning Check (5 minutes)

Project: Customer Portal Redesign
Status: 75% Complete

✅ Completed (12 items)
🔄 In Progress (8 items)
⚠️ Blocked (2 items)
📋 To Do (5 items)

Blockers:
- Security review pending for payment module
- Legal approval needed for terms of service

🎯 Action Items

1. Follow up on security review
2. Contact legal team for terms approval
3. Update stakeholders on progress
4. Identify any new risks or blockers

Click 2: Review Issues for Your Projects

📝 What You’ll See

• New requirements and feature requests
• Bug reports and user feedback
• Risk assessments and compliance needs
• Timeline updates and scope changes

🔍 What to Look For

• High priority items that need immediate attention
• Missing information that blocks progress
• Scope creep that affects timelines
• Resource conflicts that need resolution

Issue Review: Real Example

📋 Weekly Review (15 minutes)

High Priority Issues:
- 🔴 Payment processing error affecting 5% of users
- 🟡 New compliance requirement for data retention
- 🟢 Feature request for mobile app optimization

New Issues This Week:
- Bug report: Login timeout too short
- Feature request: Dark mode option
- Compliance: GDPR data export requirement

🎯 Action Items

1. Escalate payment processing issue to engineering
2. Schedule meeting for compliance requirement
3. Prioritize feature requests based on business value
4. Update project timeline if needed

Click 3: Approve PRs You Own

🔄 What You’ll See

• Code changes that need your approval
• Business requirements being implemented
• Security and compliance considerations
• Testing results and quality metrics

✅ What to Approve

• Business logic meets requirements
• User experience is appropriate
• Compliance requirements are satisfied
• Risk assessments are complete

PR Approval: Real Example

📋 PR: Add Payment Processing Module

Changes:
- New payment gateway integration
- User payment method storage
- Transaction history display
- Security audit completed

Checks:
✅ Automated tests passed
✅ Security scan clean
✅ Performance tests passed
⚠️ Business review needed (you)

🎯 Review Process

1. Read description of changes
2. Check business requirements alignment
3. Review security and compliance status
4. Approve or request changes as needed

Click 4: Approve Environment Deployments

🚀 What You’ll See

• Deployment requests to staging/production
• Change summaries and impact assessments
• Required approvals and wait timers
• Rollback plans and emergency procedures

🔐 What to Approve

• Business changes meet stakeholder requirements
• Change management process is followed
• Risk assessments are appropriate
• Testing results are satisfactory

Environment Approval: Real Example

📋 Production Deployment Request

Change: Customer Portal Payment Module
Environment: Production
Impact: High (affects all payment processing)
Risk: Medium (new functionality, extensive testing completed)

Required Approvals:
✅ Security Team
✅ QA Team
⚠️ Business Owner (you)
⏳ Wait Timer (2 hours remaining)

Rollback Plan: Immediate rollback to previous version

🎯 Approval Decision

1. Review change summary and impact
2. Check testing results and risk assessment
3. Verify change management compliance
4. Approve or reject with comments

Click 5: Triage Security Alerts

🚨 What You’ll See

• New security vulnerabilities detected
• Secret scanning results and alerts
• Dependency updates with security patches
• Compliance violations and policy issues

🎯 What to Triage

• Critical vulnerabilities that need immediate attention
• High-risk issues that affect production systems
• Compliance violations that create legal risk
• Trends and patterns in security findings

Security Alert Triage: Real Example

📋 Daily Security Review (5 minutes)

New Alerts:
- 🔴 Critical: SQL injection in payment module
- 🟡 High: Outdated encryption library
- 🟢 Medium: Minor dependency vulnerability

Resolved This Week:
- ✅ Secret scanning alert (API key removed)
- ✅ Dependency update (security patch applied)
- ✅ Code scanning issue (vulnerability fixed)

🎯 Action Items

1. Escalate critical issues to security team
2. Schedule remediation for high-priority items
3. Track progress on existing issues
4. Update stakeholders on security posture

Weekly Workflow Summary

📅 Monday (15 minutes)

• Project board review for weekly planning
• Issue prioritization and resource allocation
• Team coordination and blocker resolution

📅 Wednesday (10 minutes)

• Mid-week progress check and status updates
• PR approvals and business reviews
• Security alert triage and escalation

📅 Friday (20 minutes)

• Week-end summary and progress reporting
• Next week planning and milestone review
• Stakeholder updates and communication

Monthly Deep Dive

📊 What to Review Monthly

• Project portfolio health and progress
• Security posture trends and improvements
• Compliance status and audit preparation
• Process efficiency and optimization opportunities

📈 Metrics to Track

• Project completion rates and timelines
• Security vulnerability remediation times
• Change approval cycle times
• Stakeholder satisfaction and feedback

Common Day-to-Day Questions

❓ “What if I’m not sure about a change?”

• Ask questions in the PR or issue
• Request additional information or testing
• Escalate to subject matter experts
• Document concerns for future reference

❓ “How do I know if something is urgent?”

• Check severity levels and impact assessments
• Review business impact and user experience
• Consider compliance and legal requirements
• Escalate to appropriate stakeholders

Pro Tips for Non-Technical Users

💡 Efficiency Tips

• Set up notifications for important events
• Use saved searches for quick access
• Bookmark frequently used pages
• Create personal dashboard with key metrics

🔍 Information Finding

• Use search to find specific issues or PRs
• Check labels for categorization
• Review comments for context and decisions
• Follow links to related items