Skip to content

Commit

Permalink
Copy across github/safe-settings from @UCL-MIRSG (#262)
Browse files Browse the repository at this point in the history
  • Loading branch information
paddyroddy authored Dec 19, 2024
1 parent 4f5f424 commit 8b1ebad
Show file tree
Hide file tree
Showing 5 changed files with 179 additions and 0 deletions.
64 changes: 64 additions & 0 deletions .github/workflows/safe-settings.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
---
name: Safe Settings Sync
on:
push:
branches:
- main
- renovate/**
pull_request:
schedule:
- cron: 0 */4 * * *
workflow_dispatch: {}

concurrency:
cancel-in-progress: true
group: >-
${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
jobs:
safe-settings-sync:
runs-on: ubuntu-latest
env:
SAFE_SETTINGS_VERSION: 2.1.14
SAFE_SETTINGS_CODE_DIR: .safe-settings-code
steps:
- name: Checkout source
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

- name: Checkout GitHub Safe-Settings repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
path: ${{ env.SAFE_SETTINGS_CODE_DIR }}
ref: ${{ env.SAFE_SETTINGS_VERSION }}
repository: github/safe-settings

- name: Setup Node.js
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4
with:
cache-dependency-path:
${{ env.SAFE_SETTINGS_CODE_DIR }}/package-lock.json
cache: npm
node-version-file: ${{ env.SAFE_SETTINGS_CODE_DIR }}/.nvmrc

- name: Install dependencies
run: npm install
working-directory: ${{ env.SAFE_SETTINGS_CODE_DIR }}

- name: Run application
run: npm run full-sync
working-directory: ${{ env.SAFE_SETTINGS_CODE_DIR }}
env:
ADMIN_REPO: .github
APP_ID: ${{ vars.SAFE_SETTINGS_APP_ID }}
BLOCK_REPO_RENAME_BY_HUMAN: false
CONFIG_PATH: safe-settings
DEPLOYMENT_CONFIG_FILE:
${{ github.workspace }}/safe-settings/deployment.yaml
ENABLE_PR_COMMENT: true
GH_ORG: ${{ vars.SAFE_SETTINGS_GH_ORG }}
GITHUB_CLIENT_ID: ${{ vars.SAFE_SETTINGS_GITHUB_CLIENT_ID }}
GITHUB_CLIENT_SECRET:
${{ secrets.SAFE_SETTINGS_GITHUB_CLIENT_SECRET }}
LOG_LEVEL: trace
PRIVATE_KEY: ${{ secrets.SAFE_SETTINGS_PRIVATE_KEY }}
SETTINGS_FILE_PATH: account.yaml
58 changes: 58 additions & 0 deletions safe-settings/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
# Safe-Settings

[Safe-Settings](https://github.com/github/safe-settings) is a way to manage
policy-as-code and apply repository settings across the account. A
[GitHub App](https://github.com/apps/paddyroddy-safe-settings) has been set up
which the [GitHub Action](../.github/workflows/safe-settings.yaml) uses to apply
the settings on a cron schedule.

## Configuration Files

There are four types of settings that can be applied:

- [Deployment](https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/sample-deployment-settings.yml)
which defines deployment and runtime settings.
- [Account](https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/settings.yml)
which can be used to define account-level settings.
- [Repository](https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/repo.yml)
which can be used to define repo-level settings.
- [Suborganisation](https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/suborg.yml)
which can be used to define suborganisation-level settings.

Beyond these example configurations one can read more about potential settings
to apply in the
[documentation](https://github.com/github/safe-settings/tree/main-enterprise/docs/github-settings).
The precedence order for configuration is `repository` > `suborganisation` >
`account`.

## The Settings in This Repository

### Deployment

The [deployment settings](deployment.yaml) are used to exclude archived
repositories from the Safe-Settings app. This is because these repositories are
read-only and hence cannot be modified. Rather than having the GitHub Action
fail on these repositories, they are excluded from the run.

### Account

The [account settings](account.yaml) are used to define general repository
settings for all repositories across the account. These settings are applied to
all repositories unless the precedence order is overridden by the
suborganisation settings (or repository settings).

### Suborganisation

The [suborganisation settings](suborgs/rulesets.yaml) are being used to define
[rulesets](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets)
for all repositories across the account. The `rulesets` available in the account
settings are defined for the account itself rather than individual repositories,
so they cannot be set via account settings. This hack is done through

```yaml
suborgrepos:
- "*"
```
at the top of the file. Further explanation can be found in the
[Safe-Settings issues](https://github.com/github/safe-settings/issues/553#issuecomment-2552578978).
12 changes: 12 additions & 0 deletions safe-settings/account.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/settings.yml
---
repository:
allow_auto_merge: true
allow_merge_commit: false
allow_rebase_merge: false
delete_branch_on_merge: true
has_discussions: false
has_downloads: false
has_wiki: false
squash_merge_commit_message: PR_BODY
squash_merge_commit_title: PR_TITLE
5 changes: 5 additions & 0 deletions safe-settings/deployment.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/sample-deployment-settings.yml
---
restrictedRepos:
# these repos are all archived and will cause the GHA to fail
exclude: []
40 changes: 40 additions & 0 deletions safe-settings/suborgs/rulesets.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
# https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/suborg.yml
---
suborgrepos:
- "*"

rulesets:
- name: Default
target: branch
enforcement: active

conditions:
ref_name:
include:
- ~DEFAULT_BRANCH
exclude: []

rules:
- type: deletion
- type: non_fast_forward # prevents force pushes

- name: Status Checks
target: branch
enforcement: active

conditions:
ref_name:
include:
- ~DEFAULT_BRANCH
exclude: []

rules:
- type: required_status_checks
parameters:
do_not_enforce_on_create: false
required_status_checks:
- context: links
integration_id: 15368
- context: linting
integration_id: 15368
strict_required_status_checks_policy: false

0 comments on commit 8b1ebad

Please sign in to comment.