GitHub Archived 11,000 of Its Own Repos. Cleanup Was the Side Effect.
Site Owner
Published on 2026-07-09
GitHub had 14,000+ internal repos and most had no owner — a real problem when a leaked secret needs rotating and nobody knows who to call. Here's how they made ownership a queryable, enforced property, the two production incidents that reshaped the design, and a reusable playbook.
GitHub Archived 11,000 of Its Own Repos. Cleanup Was the Side Effect.
GitHub's primary internal organization holds more than 14,000 repositories. As of early 2025, over 11,000 of them were still active — and most had no idea who owned them (GitHub Blog, July 2026). Not a vague "the docs team, probably." No owner at all. No name to ping, no team to page.
That sounds like a housekeeping annoyance until a secret leaks.
During GitHub's secret scanning cleanup, engineers could detect an exposed credential and technically rotate it. But rotating a secret without knowing who depends on the repository is how you take down a production service on a Tuesday afternoon. So before touching anything, someone had to answer a basic question: who owns this? For thousands of repos, the honest answer was a shrug.
A repository nobody owns isn't clutter. It's a security phone that rings with no one on the other end.
Why "check the README and ask Slack" doesn't scale
GitHub already tracked ownership — for services. Their internal Service Catalog mapped each deployed service to its repository, its team, its on-call rotation, its exec sponsor. Rich metadata, exactly what you want for incident response.
The catch was the direction of the arrow. The relationship ran service → repository. Start from a service, you find the repo and its owners. Start from a repository, and you're stuck reversing a lookup that only works if the repo backed a catalogued service in the first place.
Most repositories don't. Team repos, docs repos, internal tools, one-off projects, personal experiments — none of them show up in a service catalog. For every one of those, finding the owner meant reading commit history, skimming the README, guessing from the repo name, or asking around in Slack and hoping someone recognized it.
That works once. It does not work when a security workflow fans out across 11,000 repos at the same time. Manual archaeology becomes the bottleneck, and the bottleneck sits directly between "we found a leaked secret" and "we fixed it." The problem was never tidiness. Ownership was simply never a property you could query — it was tribal knowledge, and tribal knowledge doesn't answer a page at 2 a.m.

