« All posts

How GitHub assigned owners to 14,000 repos in 45 days

GitHub tagged thousands of ownerless repos using custom properties, archived 8,000 of them, and made ownership mandatory across the organization.

GitHub discovered that fewer than half of its 14,000+ internal repositories had clear ownership, a gap that became a real operational risk during secret-scanning remediation work. The existing Service Catalog only mapped ownership for repos backing deployed services, leaving team repos, docs, personal projects, and one-off tools completely unaccounted for.

To fix this, the team used GitHub's custom properties to add ownership-type (Service Catalog, individual employee, or team) and ownership-name fields to every repository, validated by a GitHub App checking org membership, team existence, and service records while staying permissive on formatting. A Kubernetes CronJob-based system auto-tagged around 1,500 service-backed repos from day one, then enforced a 30-day grace period for the rest, safely archiving roughly 8,000 unclaimed repositories in a reversible way.

Two minor incidents surfaced during rollout: a Datadog integration breaking silently when its target repo got archived without proper owner notification, and the risk of stale or corrupted Service Catalog data triggering mass false-positive archiving. The effort underscores that ownership metadata isn't just bookkeeping — it's foundational infrastructure for security response and incident routing, and that large-scale automation needs careful attention to data reliability and notification design.