GitHub¶

Purpose¶

Version control, code hosting, and CI/CD. Primary use: source control for the /Claude/ vault (eco-monetize/claude private repo) and GitHub Actions for automated MkDocs deployments to Cloudflare Pages.

How we use it¶

Current state (2026-04-23): /Claude/ vault is connected to the private eco-monetize/claude GitHub repo. Branch protection ruleset main-claude active on main — requires PR + review, with admin bypass enabled for Rick. GitHub Actions Deploy Docs workflow auto-deploys MkDocs to Cloudflare Pages on every push to main that touches docs paths.

Setup & credentials¶

PATs in 1Password. gh CLI installed and authenticated as ecomonetize.

Actions secrets (repo: eco-monetize/claude): - CLOUDFLARE_API_TOKEN — Pages deploy token (1Password: Cloudflare-MkDocs-Deploy → credential field). Note: GitHub blanks this field when editing — to verify, just re-paste from 1Password. - CLOUDFLARE_ACCOUNT_ID — Cloudflare account ID

Deploy workflow note: The Deploy Docs workflow uses npx --yes wrangler@latest directly — NOT cloudflare/wrangler-action. The action pins wrangler 3.90.0 which has broken auth for token-scoped deploys. wrangler 4.x resolves correctly. Supports workflow_dispatch for manual reruns.

To manage secrets: Settings tab → left sidebar → "Security and quality" → Secrets and variables → Actions → pencil icon to update, New repository secret to add.

Branch protection: Ruleset main-claude on main — 1 approving review required, squash merge only. Admin bypass enabled (Rick can merge without review or push directly to main).

Owner¶

code.platform — owns code repos and CI/CD when Active.

[[claude-code]] — local repo workflow integrates with git
/knowledge/decisions/ — future DR on GitHub sync strategy for /Claude/ vault

Notes¶

Pending decision: GitHub remote for /Claude/ vault — Rick raised 2026-04-14. chief.staff recommends local git first, then private remote after secrets audit (gitleaks or git-secrets), .gitignore tuning for .obsidian/workspace*.json, .DS_Store, etc.
Old production repo may still contain production snapshot — worth confirming it's private

Plan Tier Limitations¶

Public repo creation restriction — requires GitHub Team¶

Symptom: On GitHub Free for organizations, the "Public" checkbox under Member Privileges → Repository creation cannot be unchecked. GitHub won't allow it because Private repo creation by members is a paid feature — leaving nothing selectable if Public is removed.

Root cause: GitHub Free orgs can only have members create public repos. Restricting members to private-only creation (or no creation at all) requires GitHub Team ($4/user/month, ~$3.67/month billed annually).

Current risk: Low. Rick is the sole org member. Outside collaborators can never create repos regardless of plan. No one can accidentally publish an internal repo except Rick himself.

Upgrade trigger: Add GitHub Team when the first non-owner org member joins. At that point, lock Member Privileges → Repository creation to Private only, and enable "Restrict members from changing repository visibility" on the same page.

Workaround on free plan: None for the creation restriction. Mitigating controls already in place: branch protection rulesets on all active repos, secret scanning + push protection enabled, org consolidated to single eco-monetize org.

Classification: SEV3 known gap — documented, low risk at current org size, upgrade trigger defined.