diff --git a/.github/workflows/safe-settings.yaml b/.github/workflows/safe-settings.yaml new file mode 100644 index 0000000..cc5f1e8 --- /dev/null +++ b/.github/workflows/safe-settings.yaml @@ -0,0 +1,64 @@ +--- +name: Safe Settings Sync +on: + push: + branches: + - main + - renovate/** + pull_request: + schedule: + - cron: 0 */4 * * * + workflow_dispatch: {} + +concurrency: + cancel-in-progress: true + group: >- + ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + +jobs: + safe-settings-sync: + runs-on: ubuntu-latest + env: + SAFE_SETTINGS_VERSION: 2.1.14 + SAFE_SETTINGS_CODE_DIR: .safe-settings-code + steps: + - name: Checkout source + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + + - name: Checkout GitHub Safe-Settings repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + path: ${{ env.SAFE_SETTINGS_CODE_DIR }} + ref: ${{ env.SAFE_SETTINGS_VERSION }} + repository: github/safe-settings + + - name: Setup Node.js + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4 + with: + cache-dependency-path: + ${{ env.SAFE_SETTINGS_CODE_DIR }}/package-lock.json + cache: npm + node-version-file: ${{ env.SAFE_SETTINGS_CODE_DIR }}/.nvmrc + + - name: Install dependencies + run: npm install + working-directory: ${{ env.SAFE_SETTINGS_CODE_DIR }} + + - name: Run application + run: npm run full-sync + working-directory: ${{ env.SAFE_SETTINGS_CODE_DIR }} + env: + ADMIN_REPO: .github + APP_ID: ${{ vars.SAFE_SETTINGS_APP_ID }} + BLOCK_REPO_RENAME_BY_HUMAN: false + CONFIG_PATH: safe-settings + DEPLOYMENT_CONFIG_FILE: + ${{ github.workspace }}/safe-settings/deployment.yaml + ENABLE_PR_COMMENT: true + GH_ORG: ${{ vars.SAFE_SETTINGS_GH_ORG }} + GITHUB_CLIENT_ID: ${{ vars.SAFE_SETTINGS_GITHUB_CLIENT_ID }} + GITHUB_CLIENT_SECRET: + ${{ secrets.SAFE_SETTINGS_GITHUB_CLIENT_SECRET }} + LOG_LEVEL: trace + PRIVATE_KEY: ${{ secrets.SAFE_SETTINGS_PRIVATE_KEY }} + SETTINGS_FILE_PATH: account.yaml diff --git a/safe-settings/README.md b/safe-settings/README.md new file mode 100644 index 0000000..3c0af93 --- /dev/null +++ b/safe-settings/README.md @@ -0,0 +1,58 @@ +# Safe-Settings + +[Safe-Settings](https://github.com/github/safe-settings) is a way to manage +policy-as-code and apply repository settings across the account. A +[GitHub App](https://github.com/apps/paddyroddy-safe-settings) has been set up +which the [GitHub Action](../.github/workflows/safe-settings.yaml) uses to apply +the settings on a cron schedule. + +## Configuration Files + +There are four types of settings that can be applied: + +- [Deployment](https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/sample-deployment-settings.yml) + which defines deployment and runtime settings. +- [Account](https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/settings.yml) + which can be used to define account-level settings. +- [Repository](https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/repo.yml) + which can be used to define repo-level settings. +- [Suborganisation](https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/suborg.yml) + which can be used to define suborganisation-level settings. + +Beyond these example configurations one can read more about potential settings +to apply in the +[documentation](https://github.com/github/safe-settings/tree/main-enterprise/docs/github-settings). +The precedence order for configuration is `repository` > `suborganisation` > +`account`. + +## The Settings in This Repository + +### Deployment + +The [deployment settings](deployment.yaml) are used to exclude archived +repositories from the Safe-Settings app. This is because these repositories are +read-only and hence cannot be modified. Rather than having the GitHub Action +fail on these repositories, they are excluded from the run. + +### Account + +The [account settings](account.yaml) are used to define general repository +settings for all repositories across the account. These settings are applied to +all repositories unless the precedence order is overridden by the +suborganisation settings (or repository settings). + +### Suborganisation + +The [suborganisation settings](suborgs/rulesets.yaml) are being used to define +[rulesets](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets) +for all repositories across the account. The `rulesets` available in the account +settings are defined for the account itself rather than individual repositories, +so they cannot be set via account settings. This hack is done through + +```yaml +suborgrepos: + - "*" +``` + +at the top of the file. Further explanation can be found in the +[Safe-Settings issues](https://github.com/github/safe-settings/issues/553#issuecomment-2552578978). diff --git a/safe-settings/account.yaml b/safe-settings/account.yaml new file mode 100644 index 0000000..769fe50 --- /dev/null +++ b/safe-settings/account.yaml @@ -0,0 +1,12 @@ +# https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/settings.yml +--- +repository: + allow_auto_merge: true + allow_merge_commit: false + allow_rebase_merge: false + delete_branch_on_merge: true + has_discussions: false + has_downloads: false + has_wiki: false + squash_merge_commit_message: PR_BODY + squash_merge_commit_title: PR_TITLE diff --git a/safe-settings/deployment.yaml b/safe-settings/deployment.yaml new file mode 100644 index 0000000..a4fa376 --- /dev/null +++ b/safe-settings/deployment.yaml @@ -0,0 +1,5 @@ +# https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/sample-deployment-settings.yml +--- +restrictedRepos: + # these repos are all archived and will cause the GHA to fail + exclude: [] diff --git a/safe-settings/suborgs/rulesets.yaml b/safe-settings/suborgs/rulesets.yaml new file mode 100644 index 0000000..8a0a83a --- /dev/null +++ b/safe-settings/suborgs/rulesets.yaml @@ -0,0 +1,40 @@ +# https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/suborg.yml +--- +suborgrepos: + - "*" + +rulesets: + - name: Default + target: branch + enforcement: active + + conditions: + ref_name: + include: + - ~DEFAULT_BRANCH + exclude: [] + + rules: + - type: deletion + - type: non_fast_forward # prevents force pushes + + - name: Status Checks + target: branch + enforcement: active + + conditions: + ref_name: + include: + - ~DEFAULT_BRANCH + exclude: [] + + rules: + - type: required_status_checks + parameters: + do_not_enforce_on_create: false + required_status_checks: + - context: links + integration_id: 15368 + - context: linting + integration_id: 15368 + strict_required_status_checks_policy: false