Step 0

Environment Setup

On this page

Environment Setup

Complete all steps below before starting the exercises.

4.1 Create Enterprise Organization

  1. Log in to your GitHub Enterprise Cloud account at your GHE.com subdomain
  2. Navigate to Enterprise settings β†’ Organizations β†’ New organization
  3. Create a new organization (e.g., trust-boundary-workshop)
  4. During creation, select Japan as the Data Residency region
  5. Verify the organization is created under your *.ghe.com subdomain URL
# Your organization URL will look like:
https://YOUR-ENTERPRISE.ghe.com/organizations/trust-boundary-workshop

Note: GHE.com is the dedicated domain for GitHub Enterprise Cloud with Data Residency. It is separate from github.com and has its own subdomain for each enterprise.

4.2 Configure Managed User Accounts (EMUs)

  1. Navigate to Enterprise settings β†’ People β†’ Members
  2. Provision at least two EMU test users via your Identity Provider (IdP):
    • TestUser1 β€” assign Admin role on the organization
    • TestUser2 β€” assign Member role on the organization
  3. Verify both users can log in to the GHE.com subdomain

Important: EMU accounts are fully managed by the enterprise. Key restrictions:

  • ❌ Cannot fork repositories outside the enterprise
  • ❌ Cannot create public repositories
  • ❌ Cannot contribute to open-source repos on the same platform
  • βœ… All actions are governed by enterprise policy

4.3 Create Organization-Owned Repository

  1. As TestUser1 (Admin), navigate to your organization
  2. Click New repository
  3. Configure:
    • Name: trust-boundary-demo
    • Visibility: Private
    • Default branch: main
    • Initialize: Add a README
  4. Clone the repository and copy the sample application from this workshop template:
# Clone the new repository
git clone https://YOUR-ENTERPRISE.ghe.com/trust-boundary-workshop/trust-boundary-demo.git
cd trust-boundary-demo

# Copy the sample application from this workshop repo
# (app.py and tests/ are already included in this template repository)
cp /path/to/agentic-devsecops-trust-boundry/app.py .
cp /path/to/agentic-devsecops-trust-boundry/requirements.txt .
cp -r /path/to/agentic-devsecops-trust-boundry/tests .
cp -r /path/to/agentic-devsecops-trust-boundry/.github .
  1. Review the sample application (app.py):
# app.py β€” minimal sample application
import os

def get_config():
    """Read configuration from environment variables."""
    port = int(os.getenv("APP_PORT", "8080"))
    if not (1 <= port <= 65535):
        raise ValueError(f"APP_PORT must be between 1 and 65535, got {port}")
    return {
        "app_name": os.getenv("APP_NAME", "trust-boundary-demo"),
        "environment": os.getenv("APP_ENV", "development"),
        "port": port,
    }
  1. Push the sample application to the repository:
git add app.py requirements.txt tests/ .github/
git commit -m "Add sample application and workshop files"
git push origin main

4.4 Configure Branch Protections (Access Control)

  1. Navigate to Settings β†’ Branches β†’ Branch protection rules
  2. Click Add branch protection rule
  3. Configure for the main branch:
Setting Value Reason
Branch name pattern main Protect the default branch
Require a pull request before merging βœ… Enabled No direct push to main
Required approvals 1 At least one reviewer must approve
Include administrators βœ… Enabled Even admins follow the rules
Require status checks to pass ❌ Disabled ⚠️ Status checks are configured in Workshop 2
Require signed commits Optional Recommended but not required for this workshop

Warning: Do NOT enable β€œRequire status checks to pass before merging” at this point. Required status checks (CodeQL, dependency review, etc.) are part of Workshop 2 β€” Secure by Design Guardrails. In this workshop, branch protections serve as access control only.

4.5 Enable Minimal Security Features

  1. Navigate to Settings β†’ Code security and analysis
  2. Enable:
    • βœ… Secret scanning β€” Detects exposed secrets in the repository
  3. Leave the following disabled for now:
    • ❌ CodeQL analysis β€” Configured in Workshop 2
    • ❌ Dependency review β€” Configured in Workshop 2
    • ❌ Secret scanning push protection β€” Configured in Workshop 2

Important: Full GHAS (GitHub Advanced Security) is configured in Workshop 2. In this workshop, we enable only secret scanning to demonstrate that security features exist within the trust boundary. The full security configuration is intentionally deferred.

4.6 Enable Copilot

  1. Navigate to Organization settings β†’ Copilot β†’ Access
  2. Enable GitHub Copilot for the organization
  3. Assign Copilot licenses to both EMU test users
  4. Navigate to Organization settings β†’ Copilot β†’ Policies:
    • βœ… Enable Copilot Chat
    • βœ… Enable Copilot coding agent
  5. Navigate to the trust-boundary-demo repository:
    • Settings β†’ Copilot β†’ Coding agent β†’ Enable
# Verify Copilot access via CLI
gh copilot --version

4.7 Network & Access Control

  1. SSO / IdP: Ensure SAML SSO is configured and enforced for the enterprise
  2. MFA: Enforce multi-factor authentication for all enterprise members
  3. IP allowlist (if required): Navigate to Enterprise settings β†’ Authentication security β†’ IP allow list and add your corporate network ranges

Tip: For this workshop, ensure your network allows access to your GHE.com subdomain. If you’re behind a corporate proxy, add *.ghe.com to your allowlist.

Verify Setup

Tip: Run scripts/verify-setup.sh after completing all setup steps to confirm your environment is ready.

./scripts/verify-setup.sh
Previous
Overview
 Step 0 of 4
Next
Explore the Trust Boundary
← β†’ to navigate between steps