PATTERN Cited by 1 source

Compartmentalized GitHub organizations

Problem

A single GitHub organization with hundreds or thousands of repositories means a compromised credential with org-level access can reach every repo. Archived/inactive repos with legacy CI configurations are particularly dangerous: they may have outdated security postures but still contain sensitive code or credentials.

Pattern

Split repositories across multiple GitHub organizations based on trust boundaries and activity status:

1. Active organizations — compartmentalized by team/domain, with Actions enabled and token-broker integration
2. Archived organization — dedicated org for all archived/inactive repos with Actions disabled entirely

This limits the blast radius of any single credential compromise to one organizational boundary.

Grafana's adoption (2026)

Post-TanStack incident, Grafana began compartmentalizing their GitHub organizations and isolating all archived repos into a dedicated organization with Actions disabled. The motivation: the incident demonstrated that a single credential (grafana-delivery-bot) could access the entire repository collection across one org (Source: sources/2026-06-24-grafana-post-incident-review-tanstack-npm-supply-chain-ransom).

Trade-offs

• Benefit: Credential blast radius capped at one org boundary
• Benefit: Archived repos can't be attack vectors (no CI execution surface)
• Cost: Cross-org workflows become harder (can't share Actions, secrets, or runners across orgs)
• Cost: Migration complexity for existing CI/CD that assumes single-org access

Seen in

• sources/2026-06-24-grafana-post-incident-review-tanstack-npm-supply-chain-ransom — post-incident hardening measure