From 5e204f68d729397b6bc4ac8921097348025509cf Mon Sep 17 00:00:00 2001 From: Kyle Harding Date: Tue, 26 Sep 2023 16:22:25 -0400 Subject: [PATCH] Switch to probot/settings app Signed-off-by: Kyle Harding --- .github/settings.yml | 200 +++++++++++++---------------- .github/workflows/repo-manager.yml | 66 +++++++--- 2 files changed, 131 insertions(+), 135 deletions(-) diff --git a/.github/settings.yml b/.github/settings.yml index f02e9d91f..61a2d19e3 100644 --- a/.github/settings.yml +++ b/.github/settings.yml @@ -1,31 +1,19 @@ -# https://github.com/andrewthetechie/gha-repo-manager/blob/main/examples/settings.yml +# These settings are synced to GitHub by https://probot.github.io/apps/settings/ -# settings.yml can live in two places: -# 1. in the repo itself -# 2. in a centralized repo - -# The Action is able to apply settings to any repo that its token can manage -# You can run Action from each repo, acting on that repo's settings.yml, or -# from a central repo, using a single settings.yml to control many repos. - -# Which method you choose is up to you. See README.md for more info and example -# Workflows to implement these strategies. -settings: +repository: # See https://docs.github.com/en/rest/repos/repos#update-a-repository for all available settings. - # any of these settings can be ommitted to just leave the repo's current setting - # If a setting has a value in settings.yml, it will always overwrite what exists in the repo. - # A short description of the repository that will show up on GitHub. Set to an empty string to clear. + # The name of the repository. Changing this will rename the repository + # name: repo-name + + # A short description of the repository that will show up on GitHub # description: description of repo - # A URL with more information about the repository. Set to an empty string to clear. + # A URL with more information about the repository # homepage: https://example.github.io/ - # A list of strings to apply as topics on the repo. Set to an empty string to clear topics. Omit or set to null to leave what repo already has - # topics: - # - gha - # - foo - # - bar + # A comma-separated list of topics to set on the repository + # topics: github, probot # Either `true` to make the repository private, or `false` to make it public. # private: false @@ -43,8 +31,8 @@ settings: # Either `true` to enable downloads for this repository, `false` to disable them. # has_downloads: true - # Set the default branch for this repository. - # default_branch: main + # Updates the default branch for this repository. + # default_branch: master # Either `true` to allow squash-merging pull requests, or `false` to prevent # squash-merging. @@ -73,119 +61,103 @@ settings: # labels: # - name: bug # color: CC0000 -# description: An issue with the system. +# description: An issue with the system 🐛. # - name: feature # # If including a `#`, make sure to wrap it with quotes! -# color: "#336699" +# color: '#336699' # description: New functionality. # - name: Help Wanted -# # Provide a new name to rename an existing label. A rename that results in a 'not found' will not fail a run +# # Provide a new name to rename an existing label # new_name: first-timers-only -# - name: Old Label -# # set exists: false to delete a label. A delete that results in a "not found" will not fail a run -# exists: false - -branch_protections: - # branch protection can only be created for branches that exist. +# Milestones: define milestones for Issues and Pull Requests +# milestones: +# - title: milestone-title +# description: milestone-description +# # The state of the milestone. Either `open` or `closed` +# state: open + +# Collaborators: give specific users access to this repository. +# See https://docs.github.com/en/rest/collaborators/collaborators#add-a-repository-collaborator for available options +# collaborators: + # - username: bkeepers + # permission: push + # - username: hubot + # permission: pull + + # Note: `permission` is only valid on organization-owned repositories. + # The permission to grant the collaborator. Can be one of: + # * `pull` - can pull, but not push to or administer this repository. + # * `push` - can pull and push, but not administer this repository. + # * `admin` - can pull, push and administer this repository. + # * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions. + # * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access. + +# See https://docs.github.com/en/rest/deployments/environments#create-or-update-an-environment for available options +# Note: deployment_branch_policy differs from the API for ease of use. Either protected_branches (boolean) OR custom_branches (array of strings) can be provided; this will manage the API requirements under the hood. See https://docs.github.com/en/rest/deployments/branch-policies for documentation of custom_branches. If both are provided in an unexpected manner, protected_branches will be used. +# Either removing or simply not setting deployment_branch_policy will restore the default 'All branches' setting. +# environments: +# - name: production +# wait_timer: 5 +# reviewers: +# - id: 1 +# type: 'Team' +# - id: 2 +# type: 'User' +# deployment_branch_policy: +# protected_branches: true +# - name: development +# deployment_branch_policy: +# custom_branches: +# - main +# - dev/* + +# See https://docs.github.com/en/rest/reference/teams#add-or-update-team-repository-permissions for available options +# teams: +# - name: core +# # The permission to grant the team. Can be one of: +# # * `pull` - can pull, but not push to or administer this repository. +# # * `push` - can pull and push, but not administer this repository. +# # * `admin` - can pull, push and administer this repository. +# # * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions. +# # * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access. +# permission: admin +# - name: docs +# permission: push + +branches: - name: $DEFAULT_BRANCH # https://docs.github.com/en/rest/branches/branch-protection#update-branch-protection - # Branch Protection settings. Leave a value out to leave set at current repo settings + # Branch Protection settings. Set to null to disable protection: - # Require at least one approving review on a pull request, before merging. Set to null to disable. - pr_options: - # # The number of approvals required. (1-6) + # Required. Require at least one approving review on a pull request, before merging. Set to null to disable. + required_pull_request_reviews: + # The number of approvals required. (1-6) # required_approving_review_count: 1 - # # Dismiss approved reviews automatically when a new commit is pushed. + # Dismiss approved reviews automatically when a new commit is pushed. dismiss_stale_reviews: false - # # Blocks merge until code owners have reviewed. + # Blocks merge until code owners have reviewed. require_code_owner_reviews: false - # # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories. + # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories. dismissal_restrictions: {} # users: [] # teams: [] - # Require status checks to pass before merging. Set to null to disable + # Required. Require status checks to pass before merging. Set to null to disable required_status_checks: - # Require branches to be up to date before merging. + # Required. Require branches to be up to date before merging. strict: true - # The list of status checks to require in order to merge into this branch - checks: - - Flowzone / All jobs + # Required. The list of status checks to require in order to merge into this branch + contexts: - "policy-bot: $DEFAULT_BRANCH" - # Blocks merge until all conversations on a pull request have been resolved - require_conversation_resolution: false - # Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable. + - Flowzone / All jobs + # Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable. enforce_admins: false # Prevent merge commits from being pushed to matching branches - require_linear_history: false - # Permit force pushes for all users with push access. - allow_force_pushes: false - # Allow users with push access to delete matching branches. - allow_deletions: false - # If set to true, the restrictions branch protection settings which limits who can push will also block pushes which create new branches, unless the push is initiated by a user, team, or app which has the ability to push. Set to true to restrict new branch creation. - block_creations: false - # Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable. + required_linear_history: false + # Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable. restrictions: null + # apps: [] # users: [] # teams: [] - # - name: dev - # # will clear any branch protection on the dev branch, IF the dev branch exists. If you setup protection for a non-existant branch, this action cannot delete it - # exists: False - # # if the repo has a third branch named test with branch protections setup, by not adding a protection with name: test, this config will not change - # # those existing protections. - # - name: test - # exists: True - -# secrets: -# # Manage secrets in your repo. Useful to manage secrets from a central repo for non organizations or to manage secrets org wide -# - key: SECRET_KEY -# # pull the value from an environment variable. If this variable is not found in the env, throw an error and fail the run -# # Set env vars on the github action job from secrets in your repo to sync screts across repos -# env: SECRET_VALUE -# # Set a dependabot secret on the repo -# - key: SECRET_KEY -# env: SECRET_VALUE -# type: dependabot -# - key: ANOTHER_SECRET -# # set a value directly in your yaml, probably not a good idea for things that are actually a secret -# value: bar -# - key: THIRD_SECRET -# # pull the value from an environment variable -# env: THIRD_VALUE -# # setting a value as not required allows you to not pass in an env var. if THIRD_VALUE is not set in the env, this secret won't be set but no error will be thrown -# required: false -# - key: DELETED_SECRET -# # setting exists to false will delete a secret. A delete that results in "not found" won't fail a run, so you can use this to make sure a secret is always deleted -# exists: false - -# # Can copy files from your local context to the repo. -# # Manipulate files in the target repo -# # * move files around -# # * delete files -# # Changes are automatically commited and pushed to a target branch (default is default branch) -# # File operations are applied sequentially -# files: -# # copy templates/actions/my_workflow.yml to .github/workflows/my_workflow.yml in your target repo -# # and commit it with the default commit message and to your repo's default branch. -# # default commit message is "repo_manager file commit" -# - src_file: templates/actions/my_workflow.yml -# dest_file: .github/workflows/my_workflow.yml -# - src_file: templates/issues/issue_template.md -# dest_file: .github/ISSUE_TEMPLATE/issue.md -# commit_msg: update issue template -# # Update this file in the dev branch. If the dev branch doesn't exist, this will fail the workflow -# - src_file: templates/dev/dev.md -# dest_file: dev.md -# target_branch: dev -# # This moves README.md to README.rst in the remote. If README.md doesn't exist, the workflow will not fail and will emit a warning. -# - src_file: remote://README.md -# dest_file: README.rst -# move: true -# commit_msg: "move readme" -# # This removes OLDDOC.md in the dev branch. If OLDDOC.md doesn't exist, the workflow will emit a warning -# - dest_file: OLDDOC.md -# exists: false -# branch: dev -# commit_msg: "remove OLDDOC.md from dev" diff --git a/.github/workflows/repo-manager.yml b/.github/workflows/repo-manager.yml index 1dd9513f5..e8dced3ec 100644 --- a/.github/workflows/repo-manager.yml +++ b/.github/workflows/repo-manager.yml @@ -111,7 +111,7 @@ jobs: defaults: run: shell: bash - working-directory: . + working-directory: ${{ matrix.repo.full_name }}/.github strategy: fail-fast: false @@ -167,16 +167,21 @@ jobs: token: ${{ steps.github-app-token.outputs.token }} # Create a symlink to the preferred settings file. - - name: Link to settings file + - name: Select settings file + working-directory: ${{ matrix.repo.full_name }} env: FILES: >- - ${{ matrix.repo.full_name }}/.github/settings.yml - ${{ github.event.repository.full_name }}/repo-settings.yml - ${{ github.event.repository.full_name }}/.github/settings.yml + ${{ github.workspace}}/${{ github.event.repository.full_name }}/repo-settings.yml + ${{ github.workspace}}/${{ github.event.repository.full_name }}/.github/settings.yml run: | + mkdir -p .github + + if [ -f settings.yml ]; then + exit 0 + fi + for file in $FILES; do if [ -f "$file" ]; then - echo "Found settings file: $file" ln -sv $file settings.yml break fi @@ -210,22 +215,41 @@ jobs: - name: Merge default branch required checks if: steps.get-branch-protection.outcome == 'success' run: | - yq eval-all '.branch_protections[0].protection.required_status_checks.checks += load("response.yml") | - .branch_protections[0].protection.required_status_checks.checks |= unique' settings.yml > settings.yml.tmp + yq eval-all '.branches[0].protection.required_status_checks.checks += load("response.yml") | + .branches[0].protection.required_status_checks.checks |= unique' settings.yml > settings.yml.tmp mv settings.yml.tmp settings.yml yq . settings.yml - # https://github.com/andrewthetechie/gha-repo-manager - - name: Run repo manager - uses: andrewthetechie/gha-repo-manager@v1.7.1 - id: repo-manager - continue-on-error: true - with: - action: ${{ needs.prepare.outputs.action }} - token: ${{ steps.github-app-token.outputs.token }} - settings_file: settings.yml - - - name: Record diff - if: steps.repo-manager.outputs.diff != '' + # https://github.com/elstudio/actions-settings + # https://github.com/repository-settings/app + # https://github.com/apps/settings + - name: Install and run probot/settings + env: + # https://docs.github.com/en/actions/learn-github-actions/variables#default-environment-variables + GITHUB_TOKEN: ${{ steps.github-app-token.outputs.token }} + ACTIONS_STEP_DEBUG: true + LOG_LEVEL: true + # # The name of the event that triggered the workflow. For example, workflow_dispatch. + # GITHUB_EVENT_NAME: + # # The path to the file on the runner that contains the full event webhook payload. For example, /github/workflow/event.json. + # GITHUB_EVENT_PATH: run: | - echo "${{ steps.repo-manager.outputs.diff }}" | tee -a $GITHUB_STEP_SUMMARY + npm install -g github:repository-settings/app@2.1.2 + probot receive -e $GITHUB_EVENT_NAME -p $GITHUB_EVENT_PATH -t $GITHUB_TOKEN /app/node_modules/repository-settings/index.js + + # Usage: probot-receive [options] [path/to/app.js...] + + # Options: + # -e, --event Event name + # -p, --payload-path Path to the event payload + # -t, --token Access token + # -a, --app ID of the GitHub App + # -P, --private-key Path to private key file (.pem) for the GitHub App + # -L, --log-level One of: "trace" | "debug" | "info" | "warn" | "error" | "fatal" + # --log-format One of: "pretty", "json" (default: "pretty") + # --log-level-in-string Set to log levels (trace, debug, info, ...) as words instead of numbers (10, 20, 30, ...) (default: false) + # --log-message-key Set to the string key for the 'message' in the log JSON object + # --sentry-dsn Set to your Sentry DSN, e.g. "https://1234abcd@sentry.io/12345" + # --base-url GitHub API base URL. If you use GitHub Enterprise Server, and your hostname is "https://github.acme-inc.com", then the root URL is "https://github.acme-inc.com/api/v3" (default: + # "https://api.github.com") + # -h, --help display help for command