-> **NOTE** -> If you don't want the PR message to have these details, it can be turned off by `env` setting `CREATE_PR_COMMENT`=`false` +> [!NOTE] +> If you don't want the PR message to have these details, they can be turned off with `CREATE_PR_COMMENT`. See [Environment variables](#environment-variables) for more details. Here is a screenshot of what the users will see in the `checkrun` page:
@@ -246,7 +258,7 @@ Here is a screenshot of what the users will see in the `checkrun` page:
### Error handling -The app creates a `Check` at the end of its processing to indicate if there were any errors. The `Check` is called `safe-settings` and corrosponds to the latest commit on the `default` branch of the `admin` repo. +The app creates a `Check` at the end of its processing to indicate if there were any errors. The `Check` is called `safe-settings` and corresponds to the latest commit on the `default` branch of the `admin` repo. Here is an example of a `checkrun` result:@@ -258,286 +270,103 @@ And the `checkrun` page will look like this:
-### The Settings file +### The Settings Files -The settings file can be used to set the policies at the `Org`, `suborg` or `repo` level. +The settings files can be used to set the policies at the `org`, `suborg` or `repo` level. -Using the settings, the following things could be configured: +The following can be configured: - `Repository settings` - home page, url, visibility, has_issues, has_projects, wikis, etc. -- `default branch` - naming and renaming -- `Repository Topics` +- `Default branch` - naming and renaming +- `Topics` +- `Custom properties` - `Teams and permissions` - `Collaborators and permissions` - `Issue labels` +- `Milestones` - `Branch protections` - if the name of the branch is `default` in the settings, it is applied to the `default` branch of the repo. - `Autolinks` -- `repository name validation` using regex pattern - -It is possible to provide an `include` or `exclude` settings to restrict the `collaborators`, `teams`, `labels` to a list of repos or exclude a set of repos for a collaborator. - -Here is an example settings file: - - -```yaml -# These settings are synced to GitHub by https://github.com/github/safe-settings - -repository: - # This is the settings that need to be applied to all repositories in the org - # See https://docs.github.com/en/rest/reference/repos#create-an-organization-repository for all available settings for a repository - # A short description of the repository that will show up on GitHub - description: description of the repo - - # A URL with more information about the repository - homepage: https://example.github.io/ - - # Keep this as true for most cases - # A lot of the policies below cannot be implemented on bare repos - # Pass true to create an initial commit with empty README. - auto_init: true - - # A list of topics to set on the repository - can alternatively set like this: [github, probot, new-topic, another-topic, topic-12] - topics: - - github - - probot - - new-topic - - another-topic - - topic-12 - - # Settings for Code security and analysis - # Dependabot Alerts - security: - enableVulnerabilityAlerts: true - enableAutomatedSecurityFixes: true - - # Either `true` to make the repository private, or `false` to make it public. - # If this value is changed and if Org members cannot change the visibility of repos - # it would result in an error when updating a repo - private: true - - # Can be public or private. If your organization is associated with an enterprise account using - # GitHub Enterprise Cloud or GitHub Enterprise Server 2.20+, visibility can also be internal. - visibility: private - - # Either `true` to enable issues for this repository, `false` to disable them. - has_issues: true - - # Either `true` to enable projects for this repository, or `false` to disable them. - # If projects are disabled for the organization, passing `true` will cause an API error. - has_projects: true - - # Either `true` to enable the wiki for this repository, `false` to disable it. - has_wiki: true - - # The default branch for this repository. - default_branch: main-enterprise - - # Desired language or platform [.gitignore template](https://github.com/github/gitignore) - # to apply. Use the name of the template without the extension. - # For example, "Haskell". - gitignore_template: node - - # Choose an [open source license template](https://choosealicense.com/) - # that best suits your needs, and then use the - # [license keyword](https://help.github.com/articles/licensing-a-repository/#searching-github-by-license-type) - # as the `license_template` string. For example, "mit" or "mpl-2.0". - license_template: mit - - # Either `true` to allow squash-merging pull requests, or `false` to prevent - # squash-merging. - allow_squash_merge: true - - # Either `true` to allow merging pull requests with a merge commit, or `false` - # to prevent merging pull requests with merge commits. - allow_merge_commit: true - - # Either `true` to allow rebase-merging pull requests, or `false` to prevent - # rebase-merging. - allow_rebase_merge: true - - # Either `true` to allow auto-merge on pull requests, - # or `false` to disallow auto-merge. - # Default: `false` - allow_auto_merge: true - - # Either `true` to allow automatically deleting head branches - # when pull requests are merged, or `false` to prevent automatic deletion. - # Default: `false` - delete_branch_on_merge: true - - # Either `true` to allow update branch on pull requests, - # or `false` to disallow update branch. - # Default: `false` - allow_update_branch: true - - # Whether to archive this repository. false will unarchive a previously archived repository. - archived: false - -# The following attributes are applied to any repo within the org -# So if a repo is not listed above is created or edited -# The app will apply the following settings to it -labels: - # Labels: define labels for Issues and Pull Requests - include: - - name: bug - color: CC0000 - description: An issue with the system - - - name: feature - # If including a `#`, make sure to wrap it with quotes! - color: '#336699' - description: New functionality. - - - name: first-timers-only - # include the old name to rename an existing label - oldname: Help Wanted - color: '#326699' - - - name: new-label - # include the old name to rename an existing label - oldname: Help Wanted - color: '#326699' - exclude: - # don't delete any labels created on GitHub that starts with "release" - - name: ^release - -milestones: -# Milestones: define milestones for Issues and Pull Requests - - title: milestone-title - description: milestone-description - # The state of the milestone. Either `open` or `closed` - state: open - -collaborators: -# Collaborators: give specific users access to any repository. -# See https://docs.github.com/en/rest/reference/collaborators#add-a-repository-collaborator for available options -- username: regpaco - permission: push -# The permission to grant the collaborator. Can be one of: -# * `pull` - can pull, but not push to or administer this repository. -# * `push` - can pull and push, but not administer this repository. -# * `admin` - can pull, push and administer this repository. -- username: beetlejuice - permission: pull -# You can exclude a list of repos for this collaborator and all repos except these repos would have this collaborator - exclude: - - actions-demo -- username: thor - permission: push -# You can include a list of repos for this collaborator and only those repos would have this collaborator - include: - - actions-demo - - another-repo +- `Repository name validation` using regex pattern +- `Rulesets` +- `Environments` - wait timer, required reviewers, prevent self review, protected branches deployment branch policy, custom deployment branch policy, variables, deployment protection rules +> [!important] +> It is possible to provide an `include` or `exclude` settings to restrict the `collaborators`, `teams`, `labels` to a list of repos or exclude a set of repos for a collaborator. +> The include/exclude pattern can also be for glob. For e.g.: +``` teams: -# Teams See https://docs.github.com/en/rest/reference/teams#create-a-team for available options - - name: core - # The permission to grant the team. Can be one of: - # * `pull` - can pull, but not push to or administer this repository. - # * `push` - can pull and push, but not administer this repository. - # * `admin` - can pull, push and administer this repository. + - name: Myteam-admins permission: admin - - name: docss + - name: Myteam-developers permission: push - - name: docs - permission: pull - # Visibility is only honored when the team is created not for existing teams. - # It can be either secret (default) or closed (visible to all members of the org) - - name: globalteam + - name: Other-team permission: push - visibility: closed - -branches: - # If the name of the branch value is specified as `default`, then the app will create a branch protection rule to apply against the default branch in the repo - - name: default - # https://docs.github.com/en/rest/reference/branches#update-branch-protection - # Branch Protection settings. Set to null to disable - protection: - # Required. Require at least one approving review on a pull request, before merging. Set to null to disable. - required_pull_request_reviews: - # The number of approvals required. (1-6) - required_approving_review_count: 1 - # Dismiss approved reviews automatically when a new commit is pushed. - dismiss_stale_reviews: true - # Blocks merge until code owners have reviewed. - require_code_owner_reviews: true - # Whether the most recent reviewable push must be approved by someone other than the person who pushed it. - require_last_push_approval: true - # Allow specific users, teams, or apps to bypass pull request requirements. Set to null to disable. - bypass_pull_request_allowances: - apps: [] - users: [] - teams: [] - # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories. - dismissal_restrictions: - users: [] - teams: [] - # Required. Require status checks to pass before merging. Set to null to disable - required_status_checks: - # Required. Require branches to be up to date before merging. - strict: true - # Required. The list of status checks to require in order to merge into this branch - contexts: [] - # Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable. - enforce_admins: true - # Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable. - restrictions: - apps: [] - users: [] - teams: [] - -# See the docs (https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/configuring-autolinks-to-reference-external-resources) for a description of autolinks and replacement values. -autolinks: - - key_prefix: 'JIRA-' - url_template: 'https://jira.github.com/browse/JIRA-
+
This is the name of the repository + | +Example: + +```yaml +repository: + - name: super-repo +... +``` + + |
+
A short description of this repository + | +Example: + +```yaml +repository: + - description: This repo is so awesome, we named it super-repo +... +``` + + |
+
A URL with more information about the repository. + | +Example: + +```yaml +repository: + - homepage: https://awesomeness.super-repo.com +... +``` + + |
+
Either true to make the repository private or false to make it public. Default: Default: | +Example: + +```yaml +repository: + - private: true +... +``` + + |
+
The visibility of the repository. It is recommended to set your defaults to Can be one of: | +Example: + +```yaml +repository: + - private: true + visibility: internal +... +``` + + |
+
Specify which security and analysis features to enable or disable for the repository. +To use this parameter, you must have admin permissions for the repository or be an owner or security manager for the organization that owns the repository. For more information, see "Managing security managers in your organization." + +Properties of
+
+ | + +```yaml +repository: + security_and_analysis: + advanced_security: + status: enabled + secret_scanning: + status: enabled + secret_scanning_push_protection: + status: enabled +... +``` + + |
+
Either true to enable issues for this repository or Default: | + +```yaml +repository: + - has_issues: false +... +``` + + |
+
Either Default: | + +```yaml +repository: + - has_projects: false +... +``` + + |
+
Either Default: | + +```yaml +repository: + - has_wiki: false +... +``` + + |
+
Either Default: | + +```yaml +repository: + - is_template: false +... +``` + + |
+
Updates the default branch for this repository. + | + +```yaml +repository: + - default_branch: main +... +``` + + |
+
Either Default: | + +```yaml +repository: + - allow_squash_merge: false +... +``` + + |
+
Either Default: | + +```yaml +repository: + - allow_merge_commit: false +... +``` + + |
+
Either Default: | + +```yaml +repository: + - allow_rebase_merge: false +... +``` + + |
+
Either Default: | + +```yaml +repository: + - allow_auto_merge: true +... +``` + + |
+
Either Default: | + +```yaml +repository: + - delete_branch_on_merge: true +... +``` + + |
+
Either Default: | + +```yaml +repository: + - allow_update_branch: true +... +``` + + |
+
The default value for a squash merge commit title: + Can be one of: | + +```yaml +repository: + - squash_merge_commit_title: PR_TITLE +... +``` + + |
+
The default value for a squash merge commit title: + Can be one of: | + +```yaml +repository: + - squash_merge_commit_message: PR_BODY +... +``` + + |
+
The default value for a squash merge commit title: + Can be one of: | + +```yaml +repository: + - merge_commit_title: PR_TITLE +... +``` + + |
+
The default value for a squash merge commit title: + Can be one of: | + +```yaml +repository: + - merge_commit_message: PR_BODY +... +``` + + |
+
Whether to archive this repository. Default: | + +```yaml +repository: + - archived: true +... +``` + + |
+
Either Default: | + +```yaml +repository: + - allow_forking: false +... +``` + + |
+
Either Default: | + +```yaml +repository: + - web_commit_signoff_required: false +... +``` + + |
+
Repository variables that can be referenced in a GitHub Actions workflow + +Properties of
+
+ | +Example: + +```yaml +variables: + - name: MY_AWESOME_VAR + value: super duper value +... +``` + + |
+ The handle for the GitHub user account. + | + +```yaml +collaborators: + - username: AquaMan + permission: maintain +... +``` + + |
+ The permission to grant the collaborator. Only valid on organization-owned repositories. We accept the following permissions to be set: Default: | + +```yaml +collaborators: + - username: WonderWoman + permission: maintain +``` + + |
+ The slug of the team name. + | + +```yaml +teams: + - name: JusticeLeague + permission: maintain +... +``` + + |
+ The permission to grant the team on this repository. We accept the following permissions to be set: Default: | + +```yaml +teams: + - name: SuperFriends + permission: maintain +``` + + |
+
Require status checks to pass before merging. Set to Properties of
+
+ | +Example: + +```yaml +branches: + - name: default + protection: + required_status_checks: + strict: true + checks: + - stark-industries/barndoor-protocol + - stark-industries/sokovia-accords +... +``` + + |
+ Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to | + +```yaml +branches: + - name: default + protection: + required_status_checks: + strict: true + checks: + - stark-industries/barndoor-protocol + - stark-industries/sokovia-accords + enforce_admins: true +``` + + |
+
Require at least one approving review on a pull request, before merging. Set to Properties of
+
+ | + +```yaml +branches: + - name: default + protection: + required_pull_request_reviews: + required_approving_review_count: 2 + dismiss_stale_reviews: true + require_code_owner_reviews: true + require_last_push_approval: true + required_signatures: true + bypass_pull_request_allowances: + apps: + - Jarvis + - Edith + users: + - TonyStank + teams: + - Avengers + dismissal_restrictions: + users: + - Hulk + teams: + - Revengers +... +``` + + |
+
Restrict who can push to the protected branch. User, app, and team restrictions are only available for organization-owned repositories. Set to Properties of
+ | +Example: + +```yaml +branches: + - name: default + protection: + ... + restrictions: + users: + - superman + teams: + - justice-league +... +``` + + |
+ Enforces a linear commit Git history, which prevents anyone from pushing merge commits to a branch. Set to Default: | + +```yaml +branches: + - name: default + protection: + require_linear_history: false +... +``` + + |
+ Permits force pushes to the protected branch by anyone with write access to the repository. Set to true to allow force pushes. Set to false or null to block force pushes. Default: false. For more information, see "Enabling force pushes to a protected branch" in the GitHub Help documentation. + | + +```yaml +branches: + - name: default + protection: + allow_force_pushes: false +... +``` + + |
+ Allows deletion of the protected branch by anyone with write access to the repository. Set to Default: | + +```yaml +branches: + - name: default + protection: + allow_deletions: false +... +``` + + |
+ If set to Default: | + +```yaml +branches: + - name: default + protection: + block_creations: false +... +``` + + |
+ Requires all conversations on code to be resolved before a pull request can be merged into a branch that matches this rule. Set to Default: | + +```yaml +branches: + - name: default + protection: + required_conversation_resolution: false +... +``` + + |
+ Whether to set the branch as read-only. If this is Default: | + +```yaml +branches: + - name: default + protection: + lock_branch: false +... +``` + + |
+ Whether users can pull changes from upstream when the branch is locked. Set to true to allow fork syncing. Set to Default: | + +```yaml +branches: + - name: default + protection: + allow_fork_syncing: false +... +``` + + |
+ Whether users are required to configure SSH or GPG signatures for all commits pushed to this branch. +Default: | + +```yaml +branches: + - name: default + protection: + required_signatures: true +... +``` + + |
+
This is the name of the environment, and will be what is referenced in a workflow with | +Example: + +```yaml +environments: + - name: dms-prod-example +... +``` + + |
+
The amount of time to delay a job after the job is initially triggered. The time (in minutes) must be an integer between 0 and 43,200 (30 days). + | +Example: + +```yaml +environments: + - name: dms-prod-example + wait_timer: 30 +... +``` + + |
+
Whether or not a user who created the job is prevented from approving their own job. + | +Example: + +```yaml +environments: + - name: dms-prod-example + prevent_self_review: true +... +``` + + |
+
The people or teams that may review jobs that reference the environment. You can list up to six users or teams as reviewers. The reviewers must be given explicit access to the repository as either a team or collaborator. Only one of the required reviewers needs to approve the job for it to proceed. + +Properties of
+
+ | + +```yaml +environments: + - name: production + prevent_self_review: true + reviewers: + - type: Team + id: 1234647 + - type: User + id: 139262123 +... +``` + + |
+
The type of deployment branch policy for this environment. To allow all branches to deploy, set to Properties of
+ | +Example: + +```yaml +environments: + - name: production + ... + deployment_branch_policy: + protected_branches: true + custom_branch_policies: false +... +``` + + |
+
Environment variables that can be referenced in a GitHub Actions workflow + +Properties of
+
+ | +Example: + +```yaml +environments: + - name: production + variables: + - name: MY_AWESOME_VAR + value: super duper value +... +``` + + |
+ Either true to enable issues for this repository or Default: |
+
+```yaml
+autolinks:
+ - key_prefix: JIRA-
+ url_template: https://jira.example.com/browse/JIRA- |
+ Either true to enable issues for this repository or Default: |
+
+```yaml
+autolinks:
+ - key_prefix: JIRA-
+ url_template: https://jira.example.com/browse/JIRA- |
+ Whether this autolink reference matches alphanumeric characters. If Default: |
+
+```yaml
+autolinks:
+ - key_prefix: JIRA-
+ url_template: https://jira.examole.com/browse/JIRA- |
+ The name of the label. Emoji can be added to label names, using either native emoji or colon-style markup. For example, typing | + +```yaml +labels: + - name: bug +... +``` + + |
+ The hexadecimal color code for the label, without the leading | + +```yaml +labels: + - name: bug + color: CC0000 +... +``` + + |
+ A short description of the label. Must be 100 characters or fewer. + | + +```yaml +labels: + - name: bug + description: Something isn't working +... +``` + + |