diff --git a/.github/settings.yml b/.github/settings.yml deleted file mode 100644 index 799eb1d..0000000 --- a/.github/settings.yml +++ /dev/null @@ -1,295 +0,0 @@ -# ---------------------------------------------------------------- -# Auto-merged from nsheaps/.github on every sync. -# Source: https://github.com/nsheaps/.github/blob/main/.github/org-settings.yaml -# Edits to this file are KEPT on the next sync (deep merge). -# To remove an org default, delete the key here — it will not come back. -# ---------------------------------------------------------------- -# ---------------------------------------------------------------- -# nsheaps org-wide repository defaults — TEMPLATE -# -# This file is the source of truth. It contains ${ENV_VAR} placeholders -# that get substituted by the render-repo-settings workflow (envsubst), -# which writes the rendered output to repo-settings.yaml in this repo. -# Edit this file (not repo-settings.yaml) for org-wide changes. -# -# Render workflow: -# https://github.com/nsheaps/.github/blob/main/.github/workflows/render-repo-settings.yaml -# -# After rendering, the resolved repo-settings.yaml is deep-merged into -# each managed repo's .github/settings.yml by sync-repo-settings: -# https://github.com/nsheaps/.github/blob/main/.github/workflows/sync-repo-settings.yaml -# -# Merger script + tests: -# https://github.com/nsheaps/.github/blob/main/scripts/repo_settings_merge.py -# -# Merge semantics — short version: -# - scalars : target wins (repo's existing value preserved) -# - mappings : recurse -# - rulesets[] : matched by `name`, deep-merged per item -# - rulesets[].rules[] : matched by `type`, deep-merged per item -# - bypass_actors[] : matched by (actor_id, actor_type) — SOURCE wins on scalars -# - enforcement omitted : normalized to `active` at write time -# -# Do not set per-repo identity (name/description/homepage/topics) here — -# those belong to each repo. -# -# `# @default` convention: lines tagged `# @default` are uncommented ONLY -# on a repo's FIRST sync (when it has no settings.yml yet). After that the -# commented source line is invisible to deep-merge, so a later change to -# the commented value can't accidentally overwrite the repo's value. -# ---------------------------------------------------------------- - -# These settings affect the repository itself. -# See https://docs.github.com/en/rest/repos/repos#update-a-repository -repository: - # NOTE: We deliberately do NOT set `name`, `description`, `homepage`, - # or `topics` from the org defaults — those belong to each repo. - # Edit them directly in your repo's .github/settings.yml. - # - # The booleans below are commented with `# @default` — they're set on - # this repo's FIRST sync only. After that, your value wins; org changes - # to the commented line are invisible to subsequent merges. - - # A short description of the repository that will show up on GitHub - # description: ... - - # A URL with more information about the repository - # homepage: https://example.github.io/ - - # A comma-separated list of topics to set on the repository - # topics: ... - - # Either `true` to make the repository private, or `false` to make it public. - # NOTE: intentionally not set org-wide — public/private is a per-repo decision. - # private: false - - # Either `true` to enable issues for this repository, `false` to disable them. - has_issues: true - - # Either `true` to enable projects for this repository, or `false` to disable them. - # NOTE: We use org-level projects, not repo-level. - has_projects: false - - # Either `true` to enable the wiki for this repository, `false` to disable it. - has_wiki: false - - # Either `true` to enable downloads for this repository, `false` to disable them. - has_downloads: false - - # Updates the default branch for this repository. - default_branch: main - - # Either `true` to allow squash-merging pull requests, or `false` to prevent - # squash-merging. - allow_squash_merge: true - - # Either `true` to allow merging pull requests with a merge commit, or `false` - # to prevent merging pull requests with merge commits. - allow_merge_commit: false - - # Either `true` to allow rebase-merging pull requests, or `false` to prevent - # rebase-merging. - allow_rebase_merge: true - - # Either `true` to enable automatic deletion of branches on merge, or `false` - # to disable. - delete_branch_on_merge: true - - # Either `true` to allow auto-merge on pull requests, or `false` to disallow. - allow_auto_merge: true - - # The default value for a squash merge commit title: - # - PR_TITLE — default to the pull request's title - # - COMMIT_OR_PR_TITLE — default to the commit's title (if only one commit) - # or the pull request's title (when more than one commit) - squash_merge_commit_title: PR_TITLE - - # The default value for a squash merge commit message: - # - PR_BODY — default to the pull request's body - # - COMMIT_MESSAGES — default to the branch's commit messages - # - BLANK — default to a blank commit message - squash_merge_commit_message: PR_BODY - -# Labels: managed centrally via .github/labels.yaml + sync-labels workflow. -# Intentionally omitted here so the two sources don't fight. - -# Rulesets — repository-level branch/tag rulesets. -# Docs: https://github.com/repository-settings/app/blob/master/docs/plugins/rulesets.md -# API : https://docs.github.com/en/rest/repos/rules -# -# enforcement values: -# - active : rules are enforced -# - disabled : ruleset exists but is not enforced (dormant) -# - evaluate : rules are checked and reported but not enforced (preview) -# NOTE: If `enforcement` is omitted on a ruleset, the sync writer fills it -# with `active`. Each ruleset below either: -# - sets `enforcement: active` (always-on org policy — overriding is discouraged), or -# - sets `enforcement: disabled` plus a commented `# enforcement: 'active'` -# sibling that a repo can uncomment (and delete the disabled line) to enable, or -# - omits `enforcement` and provides a commented `# enforcement: 'active'` -# hint that a repo can uncomment to lock the ruleset on explicitly. -# -# bypass_actors[].bypass_mode values: -# - always : prompts the user to bypass at push/merge time (GitHub UI default) -# - pull_request : bypass only allowed via a PR (push-time bypass blocked) -# NOTE: omitting bypass_mode lets the merger fill `always`. -# -# Every ruleset seeds repo admins (RepositoryRole id 5) as bypass actors so -# the org doesn't lock admins out. Repos can append more bypass_actors; for -# the admin entry itself, source-wins (you can't silently widen admin bypass -# to `always` if the org set `pull_request`). -rulesets: - # ---- 1. No delete / no force-push on the default branch ---- - - name: protect-default-branch - target: branch - enforcement: active # always enforced — overriding this is discouraged - conditions: - ref_name: - include: - - "~DEFAULT_BRANCH" # special selector: whatever the default branch is - exclude: [] - bypass_actors: - # Repo admins can bypass (always = prompts at push/merge time, not silent exempt). - # Repos can add more actors (other teams, integrations). - - actor_id: 5 - actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin - bypass_mode: always - # automation-nsheaps GitHub App — actor_id is substituted from 2549081 - # by render-repo-settings when this template is rendered to repo-settings.yaml. - - actor_id: 2549081 - actor_type: Integration - bypass_mode: always - rules: - - type: deletion # block branch deletion - - type: non_fast_forward # block force-push - - # ---- 2. PR required (0 reviews) ---- - - name: require-pr - target: branch - # enforcement: 'active' # uncomment to lock this ruleset on in this repo - conditions: - ref_name: - include: ["~DEFAULT_BRANCH"] - exclude: [] - bypass_actors: - # Repo admins can bypass (always = prompts at push/merge time, not silent exempt). - # Repos can add more actors (other teams, integrations). - - actor_id: 5 - actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin - bypass_mode: always - # automation-nsheaps GitHub App — actor_id is substituted from 2549081 - # by render-repo-settings when this template is rendered to repo-settings.yaml. - - actor_id: 2549081 - actor_type: Integration - bypass_mode: exempt - rules: - - type: pull_request - # parameters: - # Possible additional parameters (commented for repos to opt in): - # required_approving_review_count: 0 - # dismiss_stale_reviews_on_push: false - # require_code_owner_review: false - # require_last_push_approval: false - # required_review_thread_resolution: false - # allowed_merge_methods: [merge, squash, rebase] - - # ---- 3. Checks required ---- - # NOTE: shipped ACTIVE with an empty required_status_checks list — a valid - # GitHub config that's a no-op until a repo populates the list. Repos just - # add entries under required_status_checks below; no enforcement flip needed. - # The org doesn't mandate specific status checks (each repo has its own CI), - # which is why the list is empty here. - parameters: - required_approving_review_count: 0 - dismiss_stale_reviews_on_push: false - require_code_owner_review: false - require_last_push_approval: false - required_review_thread_resolution: false - # allowed_merge_methods: [merge, squash, rebase] # optional - - # ---- 3. Review required — 1 reviewer (active by default) ---- - enforcement: active - - name: require-checks - target: branch - enforcement: active - conditions: - ref_name: - include: ["~DEFAULT_BRANCH"] - exclude: [] - bypass_actors: - # Repo admins can bypass (always = prompts at push/merge time, not silent exempt). - # Repos can add more actors (other teams, integrations). - - actor_id: 5 - actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin - bypass_mode: always - # automation-nsheaps GitHub App — actor_id is substituted from 2549081 - # by render-repo-settings when this template is rendered to repo-settings.yaml. - - actor_id: 2549081 - actor_type: Integration - bypass_mode: always - rules: - - type: required_status_checks - parameters: - strict_required_status_checks_policy: true - required_status_checks: [] # ← repos add { context, integration_id } entries - - # ---- 4. Review required — 1 reviewer (active by default) ---- - - name: require-1-review - target: branch - # enforcement: 'active' # uncomment to lock this ruleset on in this repo - conditions: - ref_name: - include: ["~DEFAULT_BRANCH"] - exclude: [] - bypass_actors: - # Repo admins can bypass (always = prompts at push/merge time, not silent exempt). - # Repos can add more actors (other teams, integrations). - - actor_id: 5 - actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin - bypass_mode: always - # automation-nsheaps GitHub App — actor_id is substituted from 2549081 - # by render-repo-settings when this template is rendered to repo-settings.yaml. - - actor_id: 2549081 - actor_type: Integration - bypass_mode: exempt - rules: - - type: pull_request - parameters: - required_approving_review_count: 1 - dismiss_stale_reviews_on_push: true - require_last_push_approval: false - required_review_thread_resolution: true - - # ---- 5. Review required — 1 reviewer from CODEOWNERS (disabled by default) ---- - # NOTE: shipped DISABLED. Repos with a meaningful CODEOWNERS file flip to - # `enforcement: active` and likely set `require-1-review.enforcement: disabled` - # so the two don't double up. - require_code_owner_review: false - enforcement: active - - name: require-codeowner-review - target: branch - enforcement: disabled - # enforcement: 'active' # uncomment (and remove the disabled line above) to enable - conditions: - ref_name: - include: ["~DEFAULT_BRANCH"] - exclude: [] - bypass_actors: - # Repo admins can bypass (always = prompts at push/merge time, not silent exempt). - # Repos can add more actors (other teams, integrations). - - actor_id: 5 - actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin - bypass_mode: always - # automation-nsheaps GitHub App — actor_id is substituted from 2549081 - # by render-repo-settings when this template is rendered to repo-settings.yaml. - - actor_id: 2549081 - actor_type: Integration - bypass_mode: exempt - rules: - - type: pull_request - parameters: - required_approving_review_count: 1 - require_code_owner_review: true - dismiss_stale_reviews_on_push: true - required_review_thread_resolution: true - require_last_push_approval: false