From 46a8fe8fa95f3e56f86d1fae70ac41113465cb8a Mon Sep 17 00:00:00 2001
From: andyblundell <andrew.blundell@nhs.net>
Date: Mon, 14 Aug 2023 16:51:31 +0100
Subject: [PATCH] Update securing-repositories.md

---
 practices/securing-repositories.md | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/practices/securing-repositories.md b/practices/securing-repositories.md
index a799feda..05671e2b 100644
--- a/practices/securing-repositories.md
+++ b/practices/securing-repositories.md
@@ -28,12 +28,17 @@ This guide describes our minimum set of requirements to secure & configure our G
 - Abuse reporting must be enabled by <!-- markdown-link-check-disable -->[accepting content reports](https://docs.github.com/en/communities/moderating-comments-and-conversations/managing-how-contributors-report-abuse-in-your-organizations-repository)<!-- markdown-link-check-enable -->
 - In line with our [inclusive language guidance](../inclusive-language.md), the default branch must not be named "master" - we suggest "main" - please see our [inclusive language guidance](../inclusive-language.md) for how to rename the default branch.
 - GitHub teams must be created to provide individuals access to repositories. The minimum recommended setup is as follows:
-  - Create one team with the name of your programme (e.g. `Engineering Quality Framework`). Add all required members to this team.
-  - Create one child team within the team, for admins only (e.g. `Engineering Quality Framework Admins`). Add admins only to this team.
-  - Create a second child team, for code owners (e.g. `Engineering Quality Framework Code Owners`). Add relevant members to this team, and reference in the CODEOWNERS file (example [here](https://github.com/NHSDigital/software-engineering-quality-framework/blob/master/.github/CODEOWNERS)).
-  - For each repo in your programme (e.g. `software-engineering-quality-framework`), under the `Manage Access` option in `Settings`, set the general team to have `Write` access and the admins team to have `Admin` access.
+  - Create a team for the repo (e.g. `Engineering Quality Framework`).
+    - Add all required members to this team.
+    - Set this team to have `Write` access (under the `Manage Access` option in `Settings`).
+  - Create a child team, for admins only (e.g. `Engineering Quality Framework Admins`).
+    - Add admins only to this team.
+    - Set this team to have `Admin` access (under the `Manage Access` option in `Settings`).
+  - Create a second child team, for code owners (e.g. `Engineering Quality Framework Code Owners`).
+    - Add relevant members to this team.
+    - Use this team rather than individual accounts in the CODEOWNERS file (example [here](https://github.com/NHSDigital/software-engineering-quality-framework/blob/master/.github/CODEOWNERS)).
   - Child teams inherit the parent's access permissions, simplifying permissions management for large groups. Members of child teams also receive notifications when the parent team is `@mentioned`, simplifying communication with multiple groups of people.
-  - Depending on your use case, you may want to create additional teams (e.g. a read-only access team, or different teams granting access to different projects). This is welcomed by the framework, as long as the teams provide clarity on the role they encompass, remain consistent and are applied consistently to your repositories.
+  - Depending on your use case, you may want to create additional teams (e.g. a read-only access team).
 
 ## Code security