induwara.lk
Opiniongithubdevopsengineering-practices

What GitHub's Repo Ownership Fix Teaches Small Teams

GitHub gave 14,000 repositories a validated owner in under 45 days. Here's the ownership lesson for Sri Lankan solo builders and small dev teams.

Induwara Ashinsana5 min read
Illustration of repository ownership tags being assigned to GitHub code repositories
Image: The GitHub Blog

Repository ownership sounds like a problem only giant companies have, but GitHub just showed it bites everyone the same way. In a post titled How GitHub gave every repository a durable owner, the company explained that its main internal organization held over 14,000 repositories, and fewer than half had a clear owner. If GitHub of all places lost track of who owns what, your two-person startup or your university group project has no excuse to feel safe.

I read this less as a GitHub story and more as a warning I've earned the hard way. Orphaned code is a security liability, and the smaller your team, the faster ownership rots.


πŸ” Why "who owns this repo" is a security question

The trigger for GitHub's cleanup wasn't tidiness. It was secret scanning remediation. When a leaked API key or token turns up in a repository, someone has to be accountable for rotating it and fixing the code. If nobody owns the repo, that alert sits and rots while the credential stays live.

That maps directly onto small Sri Lankan teams I've seen:

  • A freelancer clones a client project, leaves an AWS key in a config file, moves on.
  • A batch-mate spins up a repo for a hackathon, then graduates and vanishes.
  • A company has 40 repos and only 3 are actually maintained; nobody remembers which.

Key takeaway: An unowned repository is not neutral. It is an open security ticket with no assignee. Ownership is the first line of defence, not paperwork.

Before you dismiss this, count your own GitHub org. If more than half your repos haven't had a commit in a year and you can't name the owner in five seconds, you have GitHub's exact problem at a smaller scale.


πŸ“Š The 45-day cleanup, by the numbers

What impressed me was the discipline of the rollout. GitHub didn't hold meetings for six months. They defined ownership as data, enforced it, and archived what nobody claimed.

Metric Before After
Total repositories ~14,000+ ~14,000+
Non-archived repos ~11,000+ ~3,000 active
Archived repos ~3,000 ~11,000
Repos with a validated owner Under half Every active repo
Time to steady state β€” Under 45 days

The mechanism was two custom properties on each repo: ownership-type and ownership-name. Ownership could be one of three things:

  1. A Service Catalog entry (a registered service)
  2. A Hubber Handle (one named individual)
  3. A Team (which had to have at least two members to count)

Then a GitHub App running on a Kubernetes CronJob checked every repo on a schedule. Repos without a valid owner got a 30-day grace period, then archiving. GitHub later tightened the detection window from a slow scan down to one hour.


πŸ› οΈ The safeguards that made mass-archiving safe

Archiving 8,000 extra repositories is terrifying. One bad script and you nuke live production code. GitHub built guardrails I'd copy directly:

  • A low water mark threshold so that if the ownership data looked corrupted (say, suddenly everything reads as unowned), the job refused to archive en masse.
  • @-mentioning repo admins on the ownership issue so a real human got pinged.
  • A fallback notification to everyone with write access when no admin existed.
  • Making ownership required at repository creation so the backlog couldn't rebuild.

That last point is the real fix. Cleaning up once is a chore; preventing the mess from returning is engineering. GitHub also mentioned the first enforcement run finished on a Saturday by accident, which is a quietly honest detail about how these automated jobs behave in the wild.

A cleanup you have to repeat every year isn't a solution, it's a subscription to your own mess.


πŸ’‘ What a two-person team should actually do

You don't need Kubernetes or a Service Catalog. The idea scales down cleanly. Here's the version I'd run for a small team or a solo builder in Colombo:

  1. Add a CODEOWNERS file to every repo you care about. It's a plain text file GitHub reads natively; one line maps a path to a person. That's your ownership-name without the tooling.
  2. Archive aggressively. If a repo hasn't been touched in a year and isn't a dependency, archive it. Archived repos are read-only, searchable, and out of your security surface. You can always un-archive.
  3. Rotate secrets in orphaned repos first. Any repo you can't assign an owner to is where you assume a leak. Enable GitHub's free secret scanning on public repos.
  4. Set an ownership rule at creation. For a team, that's a checklist item or a repo template. For solo work, it's a naming convention so future-you knows what's live.

While you're cleaning up config files and workflow definitions, small utilities save time. I keep a JSON formatter and a cron expression builder open for exactly this kind of housekeeping, since the scheduled-job syntax GitHub used is the same cron string you'll write for your own GitHub Actions.


🌐 The bigger point for Sri Lankan builders

Local teams often run lean, which we treat as a badge of honour. But lean also means tribal knowledge, and tribal knowledge walks out the door when someone changes jobs or finishes their degree. GitHub's post is a reminder that process is what survives people leaving.

The whole exercise cost them under 45 days because they refused to make it a debate. Ownership became a required field, enforcement became automated, and unclaimed code got archived instead of arguing. For a small shop, the same philosophy costs an afternoon.

Bottom line: Every repo should answer one question in under five seconds: who fixes this if it breaks? If yours can't, you don't have a code problem yet. You have an ownership problem that will become a security problem.


What this means for you

If you run more than a handful of repositories, spend an hour this week auditing them. Add a CODEOWNERS line to the ones that matter, archive the dead ones, and turn on secret scanning. GitHub needed 45 days and a custom platform because they had 14,000 repos and thousands of engineers. You have far fewer of both, which means your version of this fix is a single quiet afternoon. Do it before a leaked key forces you to.

#github#devops#engineering-practices
IA

Induwara Ashinsana

Information Systems student at UCSC and Executive Director at Ryzera Technologies. Writes about software, AI, and what it means for builders in Sri Lanka.

About the author β†’

Keep reading