docs(github-project): repo-level Actions/security hardening + API gotchas

[CybotTM]

Summary

Adds the repo-level Actions permissions and security toggle surface that init-branch-protection.sh does not cover, plus a set of GitHub Security API scripting gotchas. Sourced from an assessment of AriESQ/gh-safe-repo; every endpoint was verified against that tool's plugins/actions.py / plugins/security.py, not memory.

references/repo-bootstrap.md — new "Actions & Security Hardening" section

• default_workflow_permissions=read + can_approve_pull_request_reviews=false (/actions/permissions/workflow)
• allowed_actions=selected + sha_pinning_required (/actions/permissions), incl. the enabled=true-or-422 and apply-order-before-/selected-actions gotchas
• fork-pr-contributor-approval policy (public-only) with its three enum values
• Dependabot, private-vulnerability-reporting, and secret-scanning push-protection toggles
• Notes org members inherit org-level settings (org-security-settings.md)

references/security-config.md — new "GitHub Security API: Scripting Gotchas"

• post-create eventual-consistency 404 → retry with backoff
• 204-vs-2xx "is it enabled?" probe quirk
• secret_scanning must accompany secret_scanning_push_protection or the PATCH is silently ignored
• grouped security updates / dependency graph have no per-repo REST API
• free-plan-private 403 on rulesets/Dependabot/secret-scanning

Test plan

• markdownlint-cli2 clean on both changed files
• Changes are additive; no existing content modified

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[Copilot]

Pull request overview

Adds documentation for repo-level GitHub Actions permissions and security hardening toggles, plus a section on GitHub Security API scripting gotchas, to complement the existing init-branch-protection.sh coverage.

Changes:

• New "Actions & Security Hardening" section in repo-bootstrap.md covering workflow token defaults, allowed-actions/SHA pinning, fork-PR approval policy, and security toggles.
• New "GitHub Security API: Scripting Gotchas" section in security-config.md documenting eventual-consistency 404s, 2xx status quirks, the secret_scanning PATCH pairing requirement, missing per-repo REST endpoints, and free-plan 403s.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
skills/github-project/references/repo-bootstrap.md	Adds an Actions & Security Hardening section with gh api commands and gotchas.
skills/github-project/references/security-config.md	Adds a Scripting Gotchas section for the GitHub Security API.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[gemini-code-assist]

Code Review

This pull request adds documentation on GitHub Actions security hardening and API scripting gotchas to repo-bootstrap.md and security-config.md. The review feedback correctly identifies that the sha_pinning_required parameter is only supported at the organization level rather than the repository level, and provides corrections for the API call and its explanation. Additionally, the feedback points out that there is no standalone GET endpoint for private vulnerability reporting, which must instead be checked via the main repository object.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.