$ shellfirm
Protection Coverage

GitHub CLI

Protection patterns for GitHub CLI operations including repo deletion, visibility changes, and secret management

The github check group covers destructive GitHub CLI (gh) operations that can permanently delete repositories, releases, and break CI/CD pipelines.

GitHub checks

Delete repository

IDgithub:repo_delete
SeverityCritical

Permanently deletes a repository and all its data — code, issues, pull requests, and wiki.

# Triggers
gh repo delete
gh repo delete myorg/myrepo
gh repo delete --yes

Archive repository

IDgithub:repo_archive
SeverityHigh

Archiving makes a repository read-only, which can break CI/CD workflows and prevent merges.

# Triggers
gh repo archive
gh repo archive myorg/myrepo

# Does NOT trigger
gh repo unarchive myorg/myrepo

Rename repository

IDgithub:repo_rename
SeverityHigh

Renaming breaks all existing clone URLs, CI/CD references, and bookmarks.

# Triggers
gh repo rename new-name
gh repo rename --yes new-name

Change repository visibility

IDgithub:repo_change_visibility
SeverityHigh

Changing visibility can expose private code publicly or break access for external contributors.

# Triggers
gh repo edit --visibility private
gh repo edit --visibility public
gh repo edit myorg/myrepo --visibility internal

# Does NOT trigger
gh repo edit --description "new description"
gh repo edit --homepage "https://example.com"

Delete release

IDgithub:release_delete
SeverityHigh

Deleting a release removes it and all its assets permanently.

# Triggers
gh release delete v1.0.0
gh release delete v1.0.0 --yes
gh release delete v1.0.0 --cleanup-tag

# Does NOT trigger
gh release list
gh release create v1.0.0

Delete secret

IDgithub:secret_delete
SeverityHigh

Deleting a secret can break CI/CD pipelines that depend on it.

# Triggers
gh secret delete MY_SECRET
gh secret delete MY_SECRET --org myorg
gh secret delete MY_SECRET --env production

# Does NOT trigger
gh secret list
gh secret set MY_SECRET

Delete variable

IDgithub:variable_delete
SeverityHigh

Deleting a variable can break CI/CD pipelines that depend on it.

# Triggers
gh variable delete MY_VAR
gh variable delete MY_VAR --org myorg
gh variable delete MY_VAR --env staging

# Does NOT trigger
gh variable list
gh variable set MY_VAR

Summary table

IDCommandSeverity
github:repo_deletegh repo deleteCritical
github:repo_archivegh repo archiveHigh
github:repo_renamegh repo renameHigh
github:repo_change_visibilitygh repo edit --visibilityHigh
github:release_deletegh release deleteHigh
github:secret_deletegh secret deleteHigh
github:variable_deletegh variable deleteHigh

Git

Protection patterns for git operations including force push, reset, clean, and branch deletion

Docker

Protection patterns for Docker container, image, volume, and network operations

On this page

GitHub checksDelete repositoryArchive repositoryRename repositoryChange repository visibilityDelete releaseDelete secretDelete variableSummary table