Skip to content

Commit

Permalink
Switch to probot/settings app
Browse files Browse the repository at this point in the history 
Signed-off-by: Kyle Harding <kyle@balena.io>
  • Loading branch information
@klutchell
klutchell committed Sep 26, 2023
1 parent 9b610d8 commit 3dc9a58
Show file tree
Hide file tree
Showing 2 changed files with 140 additions and 135 deletions.
200 changes: 86 additions & 114 deletions .github/settings.yml
View file
Original file line number Diff line number Diff line change
@@ -1,31 +1,19 @@
# https://github.com/andrewthetechie/gha-repo-manager/blob/main/examples/settings.yml
# These settings are synced to GitHub by https://probot.github.io/apps/settings/

# settings.yml can live in two places:
# 1. in the repo itself
# 2. in a centralized repo

# The Action is able to apply settings to any repo that its token can manage
# You can run Action from each repo, acting on that repo's settings.yml, or
# from a central repo, using a single settings.yml to control many repos.

# Which method you choose is up to you. See README.md for more info and example
# Workflows to implement these strategies.
settings:
repository:
# See https://docs.github.com/en/rest/repos/repos#update-a-repository for all available settings.
# any of these settings can be ommitted to just leave the repo's current setting
# If a setting has a value in settings.yml, it will always overwrite what exists in the repo.

# A short description of the repository that will show up on GitHub. Set to an empty string to clear.
# The name of the repository. Changing this will rename the repository
# name: repo-name

# A short description of the repository that will show up on GitHub
# description: description of repo

# A URL with more information about the repository. Set to an empty string to clear.
# A URL with more information about the repository
# homepage: https://example.github.io/

# A list of strings to apply as topics on the repo. Set to an empty string to clear topics. Omit or set to null to leave what repo already has
# topics:
# - gha
# - foo
# - bar
# A comma-separated list of topics to set on the repository
# topics: github, probot

# Either `true` to make the repository private, or `false` to make it public.
# private: false
Expand All @@ -43,8 +31,8 @@ settings:
# Either `true` to enable downloads for this repository, `false` to disable them.
# has_downloads: true

# Set the default branch for this repository.
# default_branch: main
# Updates the default branch for this repository.
# default_branch: master

# Either `true` to allow squash-merging pull requests, or `false` to prevent
# squash-merging.
Expand Down Expand Up @@ -73,119 +61,103 @@ settings:
# labels:
# - name: bug
# color: CC0000
# description: An issue with the system.
# description: An issue with the system 🐛.

# - name: feature
# # If including a `#`, make sure to wrap it with quotes!
# color: "#336699"
# color: '#336699'
# description: New functionality.

# - name: Help Wanted
# # Provide a new name to rename an existing label. A rename that results in a 'not found' will not fail a run
# # Provide a new name to rename an existing label
# new_name: first-timers-only

# - name: Old Label
# # set exists: false to delete a label. A delete that results in a "not found" will not fail a run
# exists: false

branch_protections:
# branch protection can only be created for branches that exist.
# Milestones: define milestones for Issues and Pull Requests
# milestones:
# - title: milestone-title
# description: milestone-description
# # The state of the milestone. Either `open` or `closed`
# state: open

# Collaborators: give specific users access to this repository.
# See https://docs.github.com/en/rest/collaborators/collaborators#add-a-repository-collaborator for available options
# collaborators:
# - username: bkeepers
# permission: push
# - username: hubot
# permission: pull

# Note: `permission` is only valid on organization-owned repositories.
# The permission to grant the collaborator. Can be one of:
# * `pull` - can pull, but not push to or administer this repository.
# * `push` - can pull and push, but not administer this repository.
# * `admin` - can pull, push and administer this repository.
# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.

# See https://docs.github.com/en/rest/deployments/environments#create-or-update-an-environment for available options
# Note: deployment_branch_policy differs from the API for ease of use. Either protected_branches (boolean) OR custom_branches (array of strings) can be provided; this will manage the API requirements under the hood. See https://docs.github.com/en/rest/deployments/branch-policies for documentation of custom_branches. If both are provided in an unexpected manner, protected_branches will be used.
# Either removing or simply not setting deployment_branch_policy will restore the default 'All branches' setting.
# environments:
# - name: production
# wait_timer: 5
# reviewers:
# - id: 1
# type: 'Team'
# - id: 2
# type: 'User'
# deployment_branch_policy:
# protected_branches: true
# - name: development
# deployment_branch_policy:
# custom_branches:
# - main
# - dev/*

# See https://docs.github.com/en/rest/reference/teams#add-or-update-team-repository-permissions for available options
# teams:
# - name: core
# # The permission to grant the team. Can be one of:
# # * `pull` - can pull, but not push to or administer this repository.
# # * `push` - can pull and push, but not administer this repository.
# # * `admin` - can pull, push and administer this repository.
# # * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
# # * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
# permission: admin
# - name: docs
# permission: push

branches:
- name: $DEFAULT_BRANCH
# https://docs.github.com/en/rest/branches/branch-protection#update-branch-protection
# Branch Protection settings. Leave a value out to leave set at current repo settings
# Branch Protection settings. Set to null to disable
protection:
# Require at least one approving review on a pull request, before merging. Set to null to disable.
pr_options:
# # The number of approvals required. (1-6)
# Required. Require at least one approving review on a pull request, before merging. Set to null to disable.
required_pull_request_reviews:
# The number of approvals required. (1-6)
# required_approving_review_count: 1
# # Dismiss approved reviews automatically when a new commit is pushed.
# Dismiss approved reviews automatically when a new commit is pushed.
dismiss_stale_reviews: false
# # Blocks merge until code owners have reviewed.
# Blocks merge until code owners have reviewed.
require_code_owner_reviews: false
# # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories.
# Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories.
dismissal_restrictions: {}
# users: []
# teams: []
# Require status checks to pass before merging. Set to null to disable
# Required. Require status checks to pass before merging. Set to null to disable
required_status_checks:
# Require branches to be up to date before merging.
# Required. Require branches to be up to date before merging.
strict: true
# The list of status checks to require in order to merge into this branch
checks:
- Flowzone / All jobs
# Required. The list of status checks to require in order to merge into this branch
contexts:
- "policy-bot: $DEFAULT_BRANCH"
# Blocks merge until all conversations on a pull request have been resolved
require_conversation_resolution: false
# Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable.
- Flowzone / All jobs
# Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable.
enforce_admins: false
# Prevent merge commits from being pushed to matching branches
require_linear_history: false
# Permit force pushes for all users with push access.
allow_force_pushes: false
# Allow users with push access to delete matching branches.
allow_deletions: false
# If set to true, the restrictions branch protection settings which limits who can push will also block pushes which create new branches, unless the push is initiated by a user, team, or app which has the ability to push. Set to true to restrict new branch creation.
block_creations: false
# Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable.
required_linear_history: false
# Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable.
restrictions: null
# apps: []
# users: []
# teams: []
# - name: dev
# # will clear any branch protection on the dev branch, IF the dev branch exists. If you setup protection for a non-existant branch, this action cannot delete it
# exists: False
# # if the repo has a third branch named test with branch protections setup, by not adding a protection with name: test, this config will not change
# # those existing protections.
# - name: test
# exists: True

# secrets:
# # Manage secrets in your repo. Useful to manage secrets from a central repo for non organizations or to manage secrets org wide
# - key: SECRET_KEY
# # pull the value from an environment variable. If this variable is not found in the env, throw an error and fail the run
# # Set env vars on the github action job from secrets in your repo to sync screts across repos
# env: SECRET_VALUE
# # Set a dependabot secret on the repo
# - key: SECRET_KEY
# env: SECRET_VALUE
# type: dependabot
# - key: ANOTHER_SECRET
# # set a value directly in your yaml, probably not a good idea for things that are actually a secret
# value: bar
# - key: THIRD_SECRET
# # pull the value from an environment variable
# env: THIRD_VALUE
# # setting a value as not required allows you to not pass in an env var. if THIRD_VALUE is not set in the env, this secret won't be set but no error will be thrown
# required: false
# - key: DELETED_SECRET
# # setting exists to false will delete a secret. A delete that results in "not found" won't fail a run, so you can use this to make sure a secret is always deleted
# exists: false

# # Can copy files from your local context to the repo.
# # Manipulate files in the target repo
# # * move files around
# # * delete files
# # Changes are automatically commited and pushed to a target branch (default is default branch)
# # File operations are applied sequentially
# files:
# # copy templates/actions/my_workflow.yml to .github/workflows/my_workflow.yml in your target repo
# # and commit it with the default commit message and to your repo's default branch.
# # default commit message is "repo_manager file commit"
# - src_file: templates/actions/my_workflow.yml
# dest_file: .github/workflows/my_workflow.yml
# - src_file: templates/issues/issue_template.md
# dest_file: .github/ISSUE_TEMPLATE/issue.md
# commit_msg: update issue template
# # Update this file in the dev branch. If the dev branch doesn't exist, this will fail the workflow
# - src_file: templates/dev/dev.md
# dest_file: dev.md
# target_branch: dev
# # This moves README.md to README.rst in the remote. If README.md doesn't exist, the workflow will not fail and will emit a warning.
# - src_file: remote://README.md
# dest_file: README.rst
# move: true
# commit_msg: "move readme"
# # This removes OLDDOC.md in the dev branch. If OLDDOC.md doesn't exist, the workflow will emit a warning
# - dest_file: OLDDOC.md
# exists: false
# branch: dev
# commit_msg: "remove OLDDOC.md from dev"
75 changes: 54 additions & 21 deletions .github/workflows/repo-manager.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,7 @@ jobs:
defaults:
run:
shell: bash
working-directory: .
working-directory: ${{ matrix.repo.full_name }}

strategy:
fail-fast: false
Expand Down Expand Up @@ -167,22 +167,27 @@ jobs:
token: ${{ steps.github-app-token.outputs.token }}

# Create a symlink to the preferred settings file.
- name: Link to settings file
- name: Select settings file
env:
FILES: >-
${{ matrix.repo.full_name }}/.github/settings.yml
${{ github.event.repository.full_name }}/repo-settings.yml
${{ github.event.repository.full_name }}/.github/settings.yml
${{ github.workspace}}/${{ github.event.repository.full_name }}/repo-settings.yml
${{ github.workspace}}/${{ github.event.repository.full_name }}/.github/settings.yml
run: |
mkdir -p .github
if [ -f .github/settings.yml ]; then
exit 0
fi
for file in $FILES; do
if [ -f "$file" ]; then
echo "Found settings file: $file"
ln -sv $file settings.yml
ln -sv $file .github/settings.yml
break
fi
done
- name: Substitute env vars
working-directory: ${{ matrix.repo.full_name }}/.github
env:
DEFAULT_BRANCH: ${{ matrix.repo.default_branch }}
run: |
Expand All @@ -193,6 +198,7 @@ jobs:
- name: Save default branch required checks
continue-on-error: true
id: get-branch-protection
working-directory: ${{ matrix.repo.full_name }}/.github
env:
GH_DEBUG: "true"
GH_PAGER: "cat"
Expand All @@ -203,29 +209,56 @@ jobs:
- name: Remove any ResinCI checks
if: steps.get-branch-protection.outcome == 'success'
working-directory: ${{ matrix.repo.full_name }}/.github
run: |
yq e 'del(.[] | select(. == "ResinCI*"))' response.yml > response.yml.tmp
mv response.yml.tmp response.yml
- name: Merge default branch required checks
if: steps.get-branch-protection.outcome == 'success'
working-directory: ${{ matrix.repo.full_name }}/.github
run: |
yq eval-all '.branch_protections[0].protection.required_status_checks.checks += load("response.yml") |
.branch_protections[0].protection.required_status_checks.checks |= unique' settings.yml > settings.yml.tmp
yq eval-all '.branches[0].protection.required_status_checks.checks += load("response.yml") |
.branches[0].protection.required_status_checks.checks |= unique' settings.yml > settings.yml.tmp
mv settings.yml.tmp settings.yml
yq . settings.yml
# https://github.com/andrewthetechie/gha-repo-manager
- name: Run repo manager
uses: andrewthetechie/gha-repo-manager@v1.7.1
id: repo-manager
continue-on-error: true
with:
action: ${{ needs.prepare.outputs.action }}
token: ${{ steps.github-app-token.outputs.token }}
settings_file: settings.yml
# https://github.com/elstudio/actions-settings
# https://github.com/repository-settings/app
# https://github.com/apps/settings
- name: Install probot and repository-settings
run: |
npm install -g github:repository-settings/app@2.1.2
- name: Record diff
if: steps.repo-manager.outputs.diff != ''
# https://github.com/elstudio/actions-settings
# https://github.com/repository-settings/app
# https://github.com/apps/settings
- name: Apply repository settings
env:
# https://docs.github.com/en/actions/learn-github-actions/variables#default-environment-variables
GITHUB_TOKEN: ${{ steps.github-app-token.outputs.token }}
ACTIONS_STEP_DEBUG: true
LOG_LEVEL: true
# # The name of the event that triggered the workflow. For example, workflow_dispatch.
# GITHUB_EVENT_NAME:
# # The path to the file on the runner that contains the full event webhook payload. For example, /github/workflow/event.json.
# GITHUB_EVENT_PATH:
run: |
echo "${{ steps.repo-manager.outputs.diff }}" | tee -a $GITHUB_STEP_SUMMARY
probot receive -e $GITHUB_EVENT_NAME -p $GITHUB_EVENT_PATH -t $GITHUB_TOKEN /app/node_modules/repository-settings/index.js
# Usage: probot-receive [options] [path/to/app.js...]

# Options:
# -e, --event <event-name> Event name
# -p, --payload-path <payload-path> Path to the event payload
# -t, --token <access-token> Access token
# -a, --app <id> ID of the GitHub App
# -P, --private-key <file> Path to private key file (.pem) for the GitHub App
# -L, --log-level <level> One of: "trace" | "debug" | "info" | "warn" | "error" | "fatal"
# --log-format <format> One of: "pretty", "json" (default: "pretty")
# --log-level-in-string Set to log levels (trace, debug, info, ...) as words instead of numbers (10, 20, 30, ...) (default: false)
# --log-message-key Set to the string key for the 'message' in the log JSON object
# --sentry-dsn <dsn> Set to your Sentry DSN, e.g. "https://1234abcd@sentry.io/12345"
# --base-url <url> GitHub API base URL. If you use GitHub Enterprise Server, and your hostname is "https://github.acme-inc.com", then the root URL is "https://github.acme-inc.com/api/v3" (default:
# "https://api.github.com")
# -h, --help display help for command

0 comments on commit 3dc9a58

Please sign in to comment.