Switch to probot/settings app

Signed-off-by: Kyle Harding <[email protected]>

.github/settings.yml

@@ -1,31 +1,19 @@
-# https://github.com/andrewthetechie/gha-repo-manager/blob/main/examples/settings.yml
+# These settings are synced to GitHub by https://probot.github.io/apps/settings/
 
-# settings.yml can live in two places:
-# 1. in the repo itself
-# 2. in a centralized repo
-
-# The Action is able to apply settings to any repo that its token can manage
-# You can run Action from each repo, acting on that repo's settings.yml, or
-# from a central repo, using a single settings.yml to control many repos.
-
-# Which method you choose is up to you. See README.md for more info and example
-# Workflows to implement these strategies.
-settings:
+repository:
   # See https://docs.github.com/en/rest/repos/repos#update-a-repository for all available settings.
-  # any of these settings can be ommitted to just leave the repo's current setting
-  # If a setting has a value in settings.yml, it will always overwrite what exists in the repo.
 
-  # A short description of the repository that will show up on GitHub. Set to an empty string to clear.
+  # The name of the repository. Changing this will rename the repository
+  # name: repo-name
+
+  # A short description of the repository that will show up on GitHub
   # description: description of repo
 
-  # A URL with more information about the repository. Set to an empty string to clear.
+  # A URL with more information about the repository
   # homepage: https://example.github.io/
 
-  # A list of strings to apply as topics on the repo. Set to an empty string to clear topics. Omit or set to null to leave what repo already has
-  # topics:
-  #   - gha
-  #   - foo
-  #   - bar
+  # A comma-separated list of topics to set on the repository
+  # topics: github, probot
 
   # Either `true` to make the repository private, or `false` to make it public.
   # private: false
@@ -43,8 +31,8 @@ settings:
   # Either `true` to enable downloads for this repository, `false` to disable them.
   # has_downloads: true
 
-  # Set the default branch for this repository.
-  # default_branch: main
+  # Updates the default branch for this repository.
+  # default_branch: master
 
   # Either `true` to allow squash-merging pull requests, or `false` to prevent
   # squash-merging.
@@ -73,119 +61,103 @@ settings:
 # labels:
 #   - name: bug
 #     color: CC0000
-#     description: An issue with the system.
+#     description: An issue with the system 🐛.
 
 #   - name: feature
 #     # If including a `#`, make sure to wrap it with quotes!
-#     color: "#336699"
+#     color: '#336699'
 #     description: New functionality.
 
 #   - name: Help Wanted
-#     # Provide a new name to rename an existing label. A rename that results in a 'not found' will not fail a run
+#     # Provide a new name to rename an existing label
 #     new_name: first-timers-only
 
-#   - name: Old Label
-#     # set exists: false to delete a label. A delete that results in a "not found" will not fail a run
-#     exists: false
-
-branch_protections:
-  # branch protection can only be created for branches that exist.
+# Milestones: define milestones for Issues and Pull Requests
+# milestones:
+#   - title: milestone-title
+#     description: milestone-description
+#     # The state of the milestone. Either `open` or `closed`
+#     state: open
+
+# Collaborators: give specific users access to this repository.
+# See https://docs.github.com/en/rest/collaborators/collaborators#add-a-repository-collaborator for available options
+# collaborators:
+  # - username: bkeepers
+  #   permission: push
+  # - username: hubot
+  #   permission: pull
+
+  # Note: `permission` is only valid on organization-owned repositories.
+  # The permission to grant the collaborator. Can be one of:
+  # * `pull` - can pull, but not push to or administer this repository.
+  # * `push` - can pull and push, but not administer this repository.
+  # * `admin` - can pull, push and administer this repository.
+  # * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
+  # * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
+
+# See https://docs.github.com/en/rest/deployments/environments#create-or-update-an-environment for available options
+# Note: deployment_branch_policy differs from the API for ease of use. Either protected_branches (boolean) OR custom_branches (array of strings) can be provided; this will manage the API requirements under the hood. See https://docs.github.com/en/rest/deployments/branch-policies for documentation of custom_branches. If both are provided in an unexpected manner, protected_branches will be used.
+# Either removing or simply not setting deployment_branch_policy will restore the default 'All branches' setting.
+# environments:
+#   - name: production
+#     wait_timer: 5
+#     reviewers:
+#       - id: 1
+#         type: 'Team'
+#       - id: 2
+#         type: 'User'
+#     deployment_branch_policy:
+#       protected_branches: true
+#   - name: development
+#     deployment_branch_policy:
+#       custom_branches:
+#         - main
+#         - dev/*
+
+# See https://docs.github.com/en/rest/reference/teams#add-or-update-team-repository-permissions for available options
+# teams:
+#   - name: core
+#     # The permission to grant the team. Can be one of:
+#     # * `pull` - can pull, but not push to or administer this repository.
+#     # * `push` - can pull and push, but not administer this repository.
+#     # * `admin` - can pull, push and administer this repository.
+#     # * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
+#     # * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
+#     permission: admin
+#   - name: docs
+#     permission: push
+
+branches:
   - name: $DEFAULT_BRANCH
     # https://docs.github.com/en/rest/branches/branch-protection#update-branch-protection
-    # Branch Protection settings. Leave a value out to leave set at current repo settings
+    # Branch Protection settings. Set to null to disable
     protection:
-      # Require at least one approving review on a pull request, before merging. Set to null to disable.
-      pr_options:
-        # # The number of approvals required. (1-6)
+      # Required. Require at least one approving review on a pull request, before merging. Set to null to disable.
+      required_pull_request_reviews:
+        # The number of approvals required. (1-6)
         # required_approving_review_count: 1
-        # # Dismiss approved reviews automatically when a new commit is pushed.
+        # Dismiss approved reviews automatically when a new commit is pushed.
         dismiss_stale_reviews: false
-        # # Blocks merge until code owners have reviewed.
+        # Blocks merge until code owners have reviewed.
         require_code_owner_reviews: false
-        # # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories.
+        # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories.
         dismissal_restrictions: {}
           # users: []
           # teams: []
-      # Require status checks to pass before merging. Set to null to disable
+      # Required. Require status checks to pass before merging. Set to null to disable
       required_status_checks:
-        # Require branches to be up to date before merging.
+        # Required. Require branches to be up to date before merging.
         strict: true
-        # The list of status checks to require in order to merge into this branch
-        checks:
-          - Flowzone / All jobs
+        # Required. The list of status checks to require in order to merge into this branch
+        contexts:
           - "policy-bot: $DEFAULT_BRANCH"
-      # Blocks merge until all conversations on a pull request have been resolved
-      require_conversation_resolution: false
-      # Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable.
+          - Flowzone / All jobs
+      # Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable.
       enforce_admins: false
       # Prevent merge commits from being pushed to matching branches
-      require_linear_history: false
-      # Permit force pushes for all users with push access.
-      allow_force_pushes: false
-      # Allow users with push access to delete matching branches.
-      allow_deletions: false
-      # If set to true, the restrictions branch protection settings which limits who can push will also block pushes which create new branches, unless the push is initiated by a user, team, or app which has the ability to push. Set to true to restrict new branch creation.
-      block_creations: false
-      # Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable.
+      required_linear_history: false
+      # Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable.
       restrictions: null
+        # apps: []
         # users: []
         # teams: []
-  # - name: dev
-  #   # will clear any branch protection on the dev branch, IF the dev branch exists. If you setup protection for a non-existant branch, this action cannot delete it
-  #   exists: False
-  # # if the repo has a third branch named test with branch protections setup, by not adding a protection with name: test, this config will not change
-  # # those existing protections.
-  # - name: test
-  #   exists: True
-
-# secrets:
-#   # Manage secrets in your repo. Useful to manage secrets from a central repo for non organizations or to manage secrets org wide
-#   - key: SECRET_KEY
-#     # pull the value from an environment variable. If this variable is not found in the env, throw an error and fail the run
-#     # Set env vars on the github action job from secrets in your repo to sync screts across repos
-#     env: SECRET_VALUE
-#     # Set a dependabot secret on the repo
-#   - key: SECRET_KEY
-#     env: SECRET_VALUE
-#     type: dependabot
-#   - key: ANOTHER_SECRET
-#     # set a value directly in your yaml, probably not a good idea for things that are actually a secret
-#     value: bar
-#   - key: THIRD_SECRET
-#     # pull the value from an environment variable
-#     env: THIRD_VALUE
-#     # setting a value as not required allows you to not pass in an env var. if THIRD_VALUE is not set in the env, this secret won't be set but no error will be thrown
-#     required: false
-#   - key: DELETED_SECRET
-#     # setting exists to false will delete a secret. A delete that results in "not found" won't fail a run, so you can use this to make sure a secret is always deleted
-#     exists: false
-
-# # Can copy files from your local context to the repo.
-# # Manipulate files in the target repo
-# # * move files around
-# # * delete files
-# # Changes are automatically commited and pushed to a target branch (default is default branch)
-# # File operations are applied sequentially
-# files:
-#   # copy templates/actions/my_workflow.yml to .github/workflows/my_workflow.yml in your target repo
-#   # and commit it with the default commit message and to your repo's default branch.
-#   # default commit message is "repo_manager file commit"
-#   - src_file: templates/actions/my_workflow.yml
-#     dest_file: .github/workflows/my_workflow.yml
-#   - src_file: templates/issues/issue_template.md
-#     dest_file: .github/ISSUE_TEMPLATE/issue.md
-#     commit_msg: update issue template
-#     # Update this file in the dev branch. If the dev branch doesn't exist, this will fail the workflow
-#   - src_file: templates/dev/dev.md
-#     dest_file: dev.md
-#     target_branch: dev
-#   # This moves README.md to README.rst in the remote. If README.md doesn't exist, the workflow will not fail and will emit a warning.
-#   - src_file: remote://README.md
-#     dest_file: README.rst
-#     move: true
-#     commit_msg: "move readme"
-#   # This removes OLDDOC.md in the dev branch. If OLDDOC.md doesn't exist, the workflow will emit a warning
-#   - dest_file: OLDDOC.md
-#     exists: false
-#     branch: dev
-#     commit_msg: "remove OLDDOC.md from dev"

.github/workflows/repo-manager.yml

@@ -111,7 +111,7 @@ jobs:
     defaults:
       run:
         shell: bash
-        working-directory: .
+        working-directory: ${{ matrix.repo.full_name }}/.github
 
     strategy:
       fail-fast: false
@@ -167,16 +167,21 @@ jobs:
           token: ${{ steps.github-app-token.outputs.token }}
 
       # Create a symlink to the preferred settings file.
-      - name: Link to settings file
+      - name: Select settings file
+        working-directory: ${{ matrix.repo.full_name }}
         env:
           FILES: >-
-            ${{ matrix.repo.full_name }}/.github/settings.yml
-            ${{ github.event.repository.full_name }}/repo-settings.yml
-            ${{ github.event.repository.full_name }}/.github/settings.yml
+            ${{ github.workspace}}/${{ github.event.repository.full_name }}/repo-settings.yml
+            ${{ github.workspace}}/${{ github.event.repository.full_name }}/.github/settings.yml
         run: |
+          mkdir -p .github
+
+          if [ -f settings.yml ]; then
+            exit 0
+          fi
+
           for file in $FILES; do
             if [ -f "$file" ]; then
-              echo "Found settings file: $file"
               ln -sv $file settings.yml
               break
             fi
@@ -210,22 +215,41 @@ jobs:
       - name: Merge default branch required checks
         if: steps.get-branch-protection.outcome == 'success'
         run: |
-          yq eval-all '.branch_protections[0].protection.required_status_checks.checks += load("response.yml") | 
-            .branch_protections[0].protection.required_status_checks.checks |= unique' settings.yml > settings.yml.tmp
+          yq eval-all '.branches[0].protection.required_status_checks.checks += load("response.yml") | 
+            .branches[0].protection.required_status_checks.checks |= unique' settings.yml > settings.yml.tmp
           mv settings.yml.tmp settings.yml
           yq . settings.yml
 
-      # https://github.com/andrewthetechie/gha-repo-manager
-      - name: Run repo manager
-        uses: andrewthetechie/[email protected]
-        id: repo-manager
-        continue-on-error: true
-        with:
-          action: ${{ needs.prepare.outputs.action }}
-          token: ${{ steps.github-app-token.outputs.token }}
-          settings_file: settings.yml
-
-      - name: Record diff
-        if: steps.repo-manager.outputs.diff != ''
+      # https://github.com/elstudio/actions-settings
+      # https://github.com/repository-settings/app
+      # https://github.com/apps/settings
+      - name: Install and run probot/settings
+        env:
+          # https://docs.github.com/en/actions/learn-github-actions/variables#default-environment-variables
+          GITHUB_TOKEN: ${{ steps.github-app-token.outputs.token }}
+          ACTIONS_STEP_DEBUG: true
+          LOG_LEVEL: true
+          # # The name of the event that triggered the workflow. For example, workflow_dispatch.
+          # GITHUB_EVENT_NAME:
+          # # The path to the file on the runner that contains the full event webhook payload. For example, /github/workflow/event.json.
+          # GITHUB_EVENT_PATH:
         run: |
-          echo "${{ steps.repo-manager.outputs.diff }}" | tee -a $GITHUB_STEP_SUMMARY
+          npm install -g github:repository-settings/[email protected]
+          probot receive -e $GITHUB_EVENT_NAME -p $GITHUB_EVENT_PATH -t $GITHUB_TOKEN /app/node_modules/repository-settings/index.js
+
+        # Usage: probot-receive [options] [path/to/app.js...]
+
+        # Options:
+        #   -e, --event <event-name>           Event name
+        #   -p, --payload-path <payload-path>  Path to the event payload
+        #   -t, --token <access-token>         Access token
+        #   -a, --app <id>                     ID of the GitHub App
+        #   -P, --private-key <file>           Path to private key file (.pem) for the GitHub App
+        #   -L, --log-level <level>            One of: "trace" | "debug" | "info" | "warn" | "error" | "fatal"
+        #   --log-format <format>              One of: "pretty", "json" (default: "pretty")
+        #   --log-level-in-string              Set to log levels (trace, debug, info, ...) as words instead of numbers (10, 20, 30, ...) (default: false)
+        #   --log-message-key                  Set to the string key for the 'message' in the log JSON object
+        #   --sentry-dsn <dsn>                 Set to your Sentry DSN, e.g. "https://[email protected]/12345"
+        #   --base-url <url>                   GitHub API base URL. If you use GitHub Enterprise Server, and your hostname is "https://github.acme-inc.com", then the root URL is "https://github.acme-inc.com/api/v3" (default:
+        #                                      "https://api.github.com")
+        #   -h, --help                         display help for command