CLI tool for auditing and enforcing GitHub repo standards for GDS IDEA teams.
Checks repos against a shared configuration and can auto-fix most issues:
- Naming conventions per repo type (e.g.
gds-idea-app-{name}) - Repo settings -- merge strategy, wiki, issues, projects
- Team permissions -- expected teams, unexpected teams, direct collaborators
- Branch protection via rulesets -- deletion, force push, PRs, linear history, bypass actors
- Required files --
.gitignore,LICENSE,README.md,dependabot.yml - Required workflows per repo type --
lint.yml,test.yml, deploy workflows - Security -- vulnerability alerts, automated security fixes
Install the GitHub CLI and authenticate:
brew install gh
gh auth loginYou need access to the co-cddo GitHub organisation.
idea-gh is installed as a global CLI tool via the GDS IDEA package index.
Recommended — using idea-tools (see the index page for one-time setup):
idea-tools install gds-idea-gh-kitAlternative — without idea-tools:
uv tool install gds-idea-gh-kit --index gds-idea=https://co-cddo.github.io/gds-idea-pypi/simple/To upgrade to the latest version:
idea-tools upgrade gds-idea-gh-kit
# or without idea-tools:
uv tool upgrade gds-idea-gh-kitIf you previously installed from a git URL, switch to the index:
idea-tools install gds-idea-gh-kit --reinstallVerify it's working:
idea-gh --versionRun from inside a cloned repo:
cd gds-idea-app-my-dashboard
idea-gh auditOutput is grouped by severity: auto-fixable failures, manual fixes needed, and warnings. Passing checks are hidden by default.
Audit every repo in the org that matches a known naming pattern:
idea-gh audit --allFilter by repo type:
idea-gh audit --all --type cdk-appFix everything that can be fixed automatically (settings, teams, branch rulesets, security):
idea-gh audit --fix
idea-gh audit --all --fixThe tool applies fixes, then re-audits to show the updated state.
By default, passing checks are hidden. Use --verbose to see everything:
idea-gh audit --verbose# Validate the configuration
idea-gh check-config
# Rename a repo (run from inside the repo)
idea-gh rename my-new-name
# Remove specific direct collaborators
idea-gh remove-collaborators jane-doe bob-smith
# Remove all direct collaborators
idea-gh remove-collaborators --all| Check | Auto-fixable | Notes |
|---|---|---|
| Naming convention | No | Too destructive. Use idea-gh rename manually |
| Repo settings | Yes | Merge strategy, wiki, issues, projects |
| Team permissions | Yes | Grants/updates expected teams |
| Unexpected teams | No | Warning only -- review and remove manually |
| Direct collaborators | No | Warning only -- use idea-gh remove-collaborators |
| Default branch | Yes | Renames the branch |
| Branch rulesets | Yes | Creates or updates rulesets |
| Classic branch protection | Yes | Removes and replaces with rulesets |
| Required files | No | Must be added manually |
| Required workflows | No | Must be added manually |
| Vulnerability alerts | Yes | Enables if disabled |
| Automated security fixes | Yes | Enables if disabled |
A default configuration is bundled with the tool and updates automatically when you upgrade. It defines the standards for co-cddo repos.
To use a custom configuration instead:
idea-gh --config path/to/my-config.yml auditSee config.example.yml for the full configuration reference. The main sections are:
org-- GitHub organisation nameteams-- expected teams and their permission levelsrepo_settings-- merge strategy, wiki, issues, projectsrequired_files-- files that must exist in every reposecurity-- vulnerability alerts, automated security fixesrepo_types-- per-type settings (naming pattern, default branch, branch protection, required workflows)
# Clone and install dev dependencies
git clone git@github.com:co-cddo/gds-idea-gh-kit.git
cd gds-idea-gh-kit
uv sync
# Run tests
uv run pytest
# Lint and format
uv run ruff check src/ tests/
uv run ruff format src/ tests/