Explore the Trust Boundary
Exercise 1: Explore the Trust Boundary (~10 min)
Goal: Understand where the trust boundary lies β what data stays inside, what may cross it, and what trade-offs exist.
Conceptual Framing (2 min)
What is a trust boundary? The line between what you control and what you donβt.
In a regulated enterprise, you need to know:
- Where does your code live?
- Where does your metadata live?
- What data can cross the boundary β and under what conditions?
Steps
Step 1. Clone the organization-owned repository to your local machine:
git clone https://YOUR-ENTERPRISE.ghe.com/trust-boundary-workshop/trust-boundary-demo.git
cd trust-boundary-demo
Step 2. Navigate to Organization settings β Data Residency and confirm Japan-region enforcement is active.
Step 3. Fill in the Data Residency Checklist β open docs/data-residency-checklist.md and record your observations:
| Category | Data | Residency Status |
|---|---|---|
| β Inside region | Source code (Git repositories) | Stored in Japan |
| β Inside region | Issues, pull requests, discussions | Stored in Japan |
| β Inside region | Wikis | Stored in Japan |
| β Inside region | User profile data (EMU-managed) | Stored in Japan |
| β Inside region | GitHub Actions logs & artifacts | Stored in Japan |
| β οΈ May leave region | Copilot telemetry & usage logs | Processed by Copilot service |
| β οΈ May leave region | Billing & support data | Managed globally |
| β οΈ May leave region | Secret scanning validity checks | External service validation |
Step 4. Note GHE.com differences β open docs/ghe-com-comparison.md and fill in your observations:
| Aspect | GitHub.com | GHE.com (Data Residency) |
|---|---|---|
| URL | github.com/org/repo |
ENTERPRISE.ghe.com/org/repo |
| API endpoint | api.github.com |
api.ENTERPRISE.ghe.com |
| Public repos | β Available | β Not available |
| GitHub Marketplace | β Available | β οΈ Limited |
| Gists | β Available | β Not available |
| GitHub Pages (public) | β Available | β Not available |
| GitHub Sponsors | β Available | β Not available |
| Discussions | β Available | Check availability |
Step 5. As an EMU user, attempt to create a personal repository and push code:
# This should fail β EMU accounts cannot create repos outside the enterprise
gh repo create my-personal-project --private
Observe: The operation is blocked. EMU accounts can only operate within the enterprise boundary.
Expected Outcome
Participants can articulate what data is inside vs. outside the trust boundary and understand the trade-offs of Data Residency.
Tip: Run
scripts/verify-exercise1.shto validate your Exercise 1 completion.
./scripts/verify-exercise1.sh
Key Insight
βData Residency doesnβt mean ALL data stays in Japan. It means youβve made a conscious decision about where the trust boundary is β and you understand what crosses it.β
NIST SSDF PO.1 requires organizations to βdefine security requirements for their development infrastructure.β Data Residency is how GitHub Enterprise delivers on this requirement β by giving organizations control over where their development data resides.