What should never go into GitHub

• credentials
• sensitive data (PII)

What should not go into a public repo?

• avoid publishing account numbers, vpc ids, ???
• detailed permission configurations
• sceptre code containing the above
• abstract sceptre templates may be very useful to share

What types of private repo content should be granted access as-needed to CDL users

• detailed sceptre templates
• detailed log output that could leak sensitive config details
• code repos container user names, emails and permission grants

Which users should have default read access to ALL repos for an org?

• Org owners have this by default
• Tech leads and DevOps engineers within the org?
• IAS (daily account)?
• IAS (admin account)?
• Managers?

What types of private repository content should be readonly by default for ALL CDL users within an org?

• ?