Archiving old GitHub projects properly

I have a lot of projects in GitHub, many of which come from the time I was in Mozilla, in which we were coming up with a lot of ideas and experiments, and more often than not, most of the projects went nowhere (with exceptions - like nunjucks or localForage).

We normally tried to place them under the official @mozilla org account, as it helped with managing permissions for people and all those admin tasks that need doing regularly, but at some point we had so many repos in the @mozilla account that the bill became too expensive, so we started creating other mini-org accounts, like $name_of_team-devs.

In all cases the flow would be one of:

  1. You started a project as an individual and eventually transferred ownership of the project to the org, then made a clone of your project in your personal account (i.e. a fork)
  2. Or the project was created straight up in the org and you made your fork, to send PRs to the main project
  3. Or it was never quite meant to be worked on by more people, so it started life in your account and never left it. Some colleagues would look at it, but it wasn't super important - maybe just a proof of concept.

What eventually happened in all cases is that you forgot about the project.

And then one day someone invents this dependabot thing and you start getting security alert notifications about repositories in your account that somehow, vaguely, ring a bell, but just very vaguely.

And because those project clones are in your account, and there isn't a nice account admin taking care of managing old repositories anymore, you think: OH GOD NO, more work!

You ignore the notifications for the longest time because you have better things to do but at some point you decide you're tired of this noise in your inbox and it's time to archive them for good!

So here's how:

  1. Go to the repository settings (it's{repo url}/settings/).
  2. Scroll to the Security section in the sidebar.
  3. Select Code security and analysis (in{repo ur}/settings/security_analysis)
  4. Scroll to the Dependabot section on the main content.
  5. If Dependabot alerts is enabled, disable it. That should stop the alerts!
  6. Select General in the sidebar (it's the first option at the time of writing).
  7. Scroll down to Danger zone.
  8. Click the Archive this repository option. You'll get a scary looking dialog, just in case you're trying to archive something that you shouldn't. It might encourage you to add a note to README telling of why this is archived, etc, but frankly, you might not need to.
  9. You need to type the project owner and path in the input they present to confirm.
  10. Click the I understand the consequences, archive this repository button and experience the ✨bliss✨ of one less project to be responsible for.

Question one: do you need to disable alerts before archiving?

I am not sure if you strictly need to disable the Dependabot alerts before archiving the repository, but I definitely do NOT want more alerts, so that's the thing that I genuinely disable first.

The warning dialog tells you that security features will be unavailable and in particular highlights "Code scanning", but I do not know what that means with regards to Dependabot, so who knows.

Question two: what if you want to go back and work on that project?

You can un-archive.

Question three: can this be automated?

I have no idea, but I'd like to know too.

Question four: what else am I missing?

Maybe if there were private keys associated to the repo for publishing web pages or for signing other things, they should be removed?

If the project had an associated npm package, maybe it needs to also be marked as archived?

What else? You tell me!