## Purpose Before any app goes live, each repo should pass this checklist. ## Per-repo checklist - [ ] No hardcoded secrets or credentials anywhere (run gitleaks on full history) - [ ] All secrets in GitHub Actions secrets — never in code - [ ] \`RENDER_API_KEY\` rotated if it ever touched a workflow file, commit, or log - [ ] ZAP baseline scan green on live URL - [ ] Branch protection enabled on \`main\` (require PR + green CI, no force push) - [ ] Decide public vs private — if private, confirm Actions minutes budget - [ ] \`SECURITY.md\` present (org-inherited or repo-level copy) - [ ] PR template present ## Org-level checklist (do once) - [ ] Enable secret scanning + push protection (GitHub → Org Settings → Code security) - [ ] Review all fine-grained PATs — confirm minimum required scopes - [ ] Confirm Cloudflare worker PAT has only \`issues: write\` on \`.github\`, nothing else
Purpose
Before any app goes live, each repo should pass this checklist.
Per-repo checklist
Org-level checklist (do once)