-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
4f5f424
commit 8b1ebad
Showing
5 changed files
with
179 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
--- | ||
name: Safe Settings Sync | ||
on: | ||
push: | ||
branches: | ||
- main | ||
- renovate/** | ||
pull_request: | ||
schedule: | ||
- cron: 0 */4 * * * | ||
workflow_dispatch: {} | ||
|
||
concurrency: | ||
cancel-in-progress: true | ||
group: >- | ||
${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | ||
jobs: | ||
safe-settings-sync: | ||
runs-on: ubuntu-latest | ||
env: | ||
SAFE_SETTINGS_VERSION: 2.1.14 | ||
SAFE_SETTINGS_CODE_DIR: .safe-settings-code | ||
steps: | ||
- name: Checkout source | ||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | ||
|
||
- name: Checkout GitHub Safe-Settings repository | ||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | ||
with: | ||
path: ${{ env.SAFE_SETTINGS_CODE_DIR }} | ||
ref: ${{ env.SAFE_SETTINGS_VERSION }} | ||
repository: github/safe-settings | ||
|
||
- name: Setup Node.js | ||
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4 | ||
with: | ||
cache-dependency-path: | ||
${{ env.SAFE_SETTINGS_CODE_DIR }}/package-lock.json | ||
cache: npm | ||
node-version-file: ${{ env.SAFE_SETTINGS_CODE_DIR }}/.nvmrc | ||
|
||
- name: Install dependencies | ||
run: npm install | ||
working-directory: ${{ env.SAFE_SETTINGS_CODE_DIR }} | ||
|
||
- name: Run application | ||
run: npm run full-sync | ||
working-directory: ${{ env.SAFE_SETTINGS_CODE_DIR }} | ||
env: | ||
ADMIN_REPO: .github | ||
APP_ID: ${{ vars.SAFE_SETTINGS_APP_ID }} | ||
BLOCK_REPO_RENAME_BY_HUMAN: false | ||
CONFIG_PATH: safe-settings | ||
DEPLOYMENT_CONFIG_FILE: | ||
${{ github.workspace }}/safe-settings/deployment.yaml | ||
ENABLE_PR_COMMENT: true | ||
GH_ORG: ${{ vars.SAFE_SETTINGS_GH_ORG }} | ||
GITHUB_CLIENT_ID: ${{ vars.SAFE_SETTINGS_GITHUB_CLIENT_ID }} | ||
GITHUB_CLIENT_SECRET: | ||
${{ secrets.SAFE_SETTINGS_GITHUB_CLIENT_SECRET }} | ||
LOG_LEVEL: trace | ||
PRIVATE_KEY: ${{ secrets.SAFE_SETTINGS_PRIVATE_KEY }} | ||
SETTINGS_FILE_PATH: account.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
# Safe-Settings | ||
|
||
[Safe-Settings](https://github.com/github/safe-settings) is a way to manage | ||
policy-as-code and apply repository settings across the account. A | ||
[GitHub App](https://github.com/apps/paddyroddy-safe-settings) has been set up | ||
which the [GitHub Action](../.github/workflows/safe-settings.yaml) uses to apply | ||
the settings on a cron schedule. | ||
|
||
## Configuration Files | ||
|
||
There are four types of settings that can be applied: | ||
|
||
- [Deployment](https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/sample-deployment-settings.yml) | ||
which defines deployment and runtime settings. | ||
- [Account](https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/settings.yml) | ||
which can be used to define account-level settings. | ||
- [Repository](https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/repo.yml) | ||
which can be used to define repo-level settings. | ||
- [Suborganisation](https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/suborg.yml) | ||
which can be used to define suborganisation-level settings. | ||
|
||
Beyond these example configurations one can read more about potential settings | ||
to apply in the | ||
[documentation](https://github.com/github/safe-settings/tree/main-enterprise/docs/github-settings). | ||
The precedence order for configuration is `repository` > `suborganisation` > | ||
`account`. | ||
|
||
## The Settings in This Repository | ||
|
||
### Deployment | ||
|
||
The [deployment settings](deployment.yaml) are used to exclude archived | ||
repositories from the Safe-Settings app. This is because these repositories are | ||
read-only and hence cannot be modified. Rather than having the GitHub Action | ||
fail on these repositories, they are excluded from the run. | ||
|
||
### Account | ||
|
||
The [account settings](account.yaml) are used to define general repository | ||
settings for all repositories across the account. These settings are applied to | ||
all repositories unless the precedence order is overridden by the | ||
suborganisation settings (or repository settings). | ||
|
||
### Suborganisation | ||
|
||
The [suborganisation settings](suborgs/rulesets.yaml) are being used to define | ||
[rulesets](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets) | ||
for all repositories across the account. The `rulesets` available in the account | ||
settings are defined for the account itself rather than individual repositories, | ||
so they cannot be set via account settings. This hack is done through | ||
|
||
```yaml | ||
suborgrepos: | ||
- "*" | ||
``` | ||
at the top of the file. Further explanation can be found in the | ||
[Safe-Settings issues](https://github.com/github/safe-settings/issues/553#issuecomment-2552578978). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
# https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/settings.yml | ||
--- | ||
repository: | ||
allow_auto_merge: true | ||
allow_merge_commit: false | ||
allow_rebase_merge: false | ||
delete_branch_on_merge: true | ||
has_discussions: false | ||
has_downloads: false | ||
has_wiki: false | ||
squash_merge_commit_message: PR_BODY | ||
squash_merge_commit_title: PR_TITLE |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
# https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/sample-deployment-settings.yml | ||
--- | ||
restrictedRepos: | ||
# these repos are all archived and will cause the GHA to fail | ||
exclude: [] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
# https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/suborg.yml | ||
--- | ||
suborgrepos: | ||
- "*" | ||
|
||
rulesets: | ||
- name: Default | ||
target: branch | ||
enforcement: active | ||
|
||
conditions: | ||
ref_name: | ||
include: | ||
- ~DEFAULT_BRANCH | ||
exclude: [] | ||
|
||
rules: | ||
- type: deletion | ||
- type: non_fast_forward # prevents force pushes | ||
|
||
- name: Status Checks | ||
target: branch | ||
enforcement: active | ||
|
||
conditions: | ||
ref_name: | ||
include: | ||
- ~DEFAULT_BRANCH | ||
exclude: [] | ||
|
||
rules: | ||
- type: required_status_checks | ||
parameters: | ||
do_not_enforce_on_create: false | ||
required_status_checks: | ||
- context: links | ||
integration_id: 15368 | ||
- context: linting | ||
integration_id: 15368 | ||
strict_required_status_checks_policy: false |