External repository setup runbook¶
Use this when creating the repository, auditing repository settings, or preparing for a release. These steps cover settings that are not fully configured by files inside this repository.
Before you start¶
- Confirm you are an administrator for
ryancswallace/benchmatrix. - Open the default branch and confirm the latest
make checkresult is green. - Review
.github/settings.ymland this runbook together. If they disagree, fix the repository file or the docs before changing external settings.
Settings-as-code setup¶
- Decide whether to use the GitHub Settings app for this repository.
- If using it, install the app from
https://github.com/apps/settingsfor only this repository. - Confirm
.github/settings.ymlis onmain. - Watch the app output or repository settings after installation and verify:
description, homepage, topics, merge strategies, vulnerability alerts,
deployment environments, and
mainbranch protection. - If the app reports an unsupported setting, configure that item manually and
update
docs/explanation/repository-settings.mdwith the exception.
Branch protection or ruleset¶
- Go to Settings -> Rules -> Rulesets or Settings -> Branches.
- Create or verify protection for
main. - Require pull requests before merging.
- Require one approving review.
- Require CODEOWNERS review.
- Dismiss stale approvals on new commits.
- Require approval of the most recent push by someone other than the pusher.
- Require conversation resolution.
- Require status checks and branch freshness.
-
Select these required checks:
Quality checks Package build and smoke test Minimum dependency tests Tests (ubuntu-24.04, Python 3.11) Tests (ubuntu-24.04, Python 3.12) Tests (ubuntu-24.04, Python 3.13) Tests (ubuntu-24.04, Python 3.14) -
Require linear history.
- Block force pushes.
- Block branch deletion.
- Save, then open a test pull request or inspect the branch protection summary to confirm the expected checks are enforced.
Merge strategy settings¶
- Go to Settings -> General -> Pull Requests.
- Enable squash merging.
- Enable rebase merging.
- Disable merge commits.
- Enable automatic branch deletion after merge.
- Leave auto-merge disabled unless the project adopts a written auto-merge policy.
Dependabot and security alerts¶
- Go to Settings -> Advanced Security.
- Enable dependency graph.
- Enable Dependabot alerts.
- Enable Dependabot security updates.
- Confirm
.github/dependabot.ymlexists onmainfor version updates. - Enable secret scanning if available for the repository.
- Enable push protection if available for the repository.
- Enable private vulnerability reporting.
- In your personal notification settings, watch repository security alerts or verify another maintainer is assigned to do so.
Labels¶
- Open Issues -> Labels in GitHub repository settings.
- Compare the current repository labels with
.github/labels.yml. - Create, rename, or update labels manually when the recommended label set changes.
- Do not delete existing labels without checking whether open issues or pull requests still use them.
GitHub Pages¶
GitHub Pages must be enabled once per repository before the documentation
workflow can deploy. This is intentionally a small click-ops step: the default
GITHUB_TOKEN can deploy to an existing Pages site, but it cannot enable Pages
for a repository that does not have a Pages site yet. If this step is skipped,
actions/configure-pages fails with Get Pages site failed and Not Found.
- Confirm
make docspasses locally and in CI. - Go to Settings -> Pages.
- Set Build and deployment -> Source to GitHub Actions.
- Verify the Settings app created the
github-pagesenvironment and restricted deployments tomain. - Run the documentation workflow once from
main. - Confirm the site resolves at
https://ryancswallace.github.io/benchmatrix/. - If the site URL changes, update
mkdocs.yml,.github/settings.yml,pyproject.toml, and docs that mention the URL.
PyPI Trusted Publishing¶
- Create or claim the PyPI project
benchmatrix. - Verify the Settings app created the GitHub environment
pypi, restricted deployments tov*tags, and configured required reviewer(s). - Do not add PyPI secrets to the environment when Trusted Publishing is the intended path.
- In PyPI, open the project -> Publishing -> Add trusted publisher.
-
Configure:
owner: ryancswallace repository: benchmatrix workflow filename: release.yml environment: pypi -
Confirm
.github/workflows/release.ymlgrantsid-token: writeto the publish job and uses thepypienvironment. - Do not add a long-lived PyPI token if Trusted Publishing works.
- If a token is temporarily unavoidable, make it project-scoped, store it as an environment secret, and remove it after Trusted Publishing is working.
Repository profile¶
- Set the repository description to
Build pytest-benchmark matrices and parse benchmark results with lightweight Python utilities. - Set the homepage to
https://ryancswallace.github.io/benchmatrix/once Pages is live. - Set topics:
benchmark,benchmarking,performance,pytest,pytest-benchmark,python. - Keep issues enabled.
- Disable wiki and projects unless maintainers intentionally adopt them.
Review cadence¶
Run this checklist:
- before the first public release;
- after adding, renaming, or removing required CI jobs;
- after changing publishing or documentation deployment workflows;
- at least quarterly while the project is active.