From 3f379741beabb5b3d51707e4cc606684f5cd2208 Mon Sep 17 00:00:00 2001 From: "automation-nsheaps[bot]" <251779498+automation-nsheaps[bot]@users.noreply.github.com> Date: Thu, 28 May 2026 23:19:07 +0000 Subject: [PATCH 1/2] [sync] Create .github/settings.yml --- .github/settings.yml | 285 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 285 insertions(+) create mode 100644 .github/settings.yml diff --git a/.github/settings.yml b/.github/settings.yml new file mode 100644 index 0000000..97021a5 --- /dev/null +++ b/.github/settings.yml @@ -0,0 +1,285 @@ +# ---------------------------------------------------------------- +# Auto-merged from nsheaps/.github on every sync. +# Source: https://github.com/nsheaps/.github/blob/205c0facd34ed35bb05184547a59c000dea13a9d/.github/repo-settings.yaml +# Edits to this file are KEPT on the next sync (deep merge). +# To remove an org default, delete the key here — it will not come back. +# ---------------------------------------------------------------- +# ---------------------------------------------------------------- +# nsheaps org-wide repository defaults +# +# Consumed by https://github.com/repository-settings/app +# Deep-merged into each managed repo's .github/settings.yml by the +# sync-repo-settings workflow: +# https://github.com/nsheaps/.github/blob/main/.github/workflows/sync-repo-settings.yaml +# +# Merger script + tests: +# https://github.com/nsheaps/.github/blob/main/scripts/repo_settings_merge.py +# +# Merge semantics — short version: +# - scalars : target wins (repo's existing value preserved) +# - mappings : recurse +# - rulesets[] : matched by `name`, deep-merged per item +# - rulesets[].rules[] : matched by `type`, deep-merged per item +# - bypass_actors[] : matched by (actor_id, actor_type) — SOURCE wins on scalars +# - enforcement omitted : normalized to `active` at write time +# +# Do not set per-repo identity (name/description/homepage/topics) here — +# those belong to each repo. +# +# `# @default` convention: lines tagged `# @default` are uncommented ONLY +# on a repo's FIRST sync (when it has no settings.yml yet). After that the +# commented source line is invisible to deep-merge, so a later change to +# the commented value can't accidentally overwrite the repo's value. +# ---------------------------------------------------------------- + +# These settings affect the repository itself. +# See https://docs.github.com/en/rest/repos/repos#update-a-repository +repository: + # NOTE: We deliberately do NOT set `name`, `description`, `homepage`, + # or `topics` from the org defaults — those belong to each repo. + # Edit them directly in your repo's .github/settings.yml. + # + # The booleans below are commented with `# @default` — they're set on + # this repo's FIRST sync only. After that, your value wins; org changes + # to the commented line are invisible to subsequent merges. + + # A short description of the repository that will show up on GitHub + # description: ... + + # A URL with more information about the repository + # homepage: https://example.github.io/ + + # A comma-separated list of topics to set on the repository + # topics: ... + + # Either `true` to make the repository private, or `false` to make it public. + # NOTE: intentionally not set org-wide — public/private is a per-repo decision. + # private: false + + # Either `true` to enable issues for this repository, `false` to disable them. + has_issues: true + + # Either `true` to enable projects for this repository, or `false` to disable them. + # NOTE: We use org-level projects, not repo-level. + has_projects: false + + # Either `true` to enable the wiki for this repository, `false` to disable it. + has_wiki: false + + # Either `true` to enable downloads for this repository, `false` to disable them. + has_downloads: false + + # Updates the default branch for this repository. + default_branch: main + + # Either `true` to allow squash-merging pull requests, or `false` to prevent + # squash-merging. + allow_squash_merge: true + + # Either `true` to allow merging pull requests with a merge commit, or `false` + # to prevent merging pull requests with merge commits. + allow_merge_commit: false + + # Either `true` to allow rebase-merging pull requests, or `false` to prevent + # rebase-merging. + allow_rebase_merge: true + + # Either `true` to enable automatic deletion of branches on merge, or `false` + # to disable. + delete_branch_on_merge: true + + # Either `true` to allow auto-merge on pull requests, or `false` to disallow. + allow_auto_merge: true + + # The default value for a squash merge commit title: + # - PR_TITLE — default to the pull request's title + # - COMMIT_OR_PR_TITLE — default to the commit's title (if only one commit) + # or the pull request's title (when more than one commit) + squash_merge_commit_title: PR_TITLE + + # The default value for a squash merge commit message: + # - PR_BODY — default to the pull request's body + # - COMMIT_MESSAGES — default to the branch's commit messages + # - BLANK — default to a blank commit message + squash_merge_commit_message: PR_BODY + +# Labels: managed centrally via .github/labels.yaml + sync-labels workflow. +# Intentionally omitted here so the two sources don't fight. + +# Rulesets — repository-level branch/tag rulesets. +# Docs: https://github.com/repository-settings/app/blob/master/docs/plugins/rulesets.md +# API : https://docs.github.com/en/rest/repos/rules +# +# enforcement values: +# - active : rules are enforced +# - disabled : ruleset exists but is not enforced (dormant) +# - evaluate : rules are checked and reported but not enforced (preview) +# NOTE: If `enforcement` is omitted on a ruleset, the sync writer fills it +# with `active`. Each ruleset below either: +# - sets `enforcement: active` (always-on org policy — overriding is discouraged), or +# - sets `enforcement: disabled` plus a commented `# enforcement: 'active'` +# sibling that a repo can uncomment (and delete the disabled line) to enable, or +# - omits `enforcement` and provides a commented `# enforcement: 'active'` +# hint that a repo can uncomment to lock the ruleset on explicitly. +# +# bypass_actors[].bypass_mode values: +# - always : prompts the user to bypass at push/merge time (GitHub UI default) +# - pull_request : bypass only allowed via a PR (push-time bypass blocked) +# NOTE: omitting bypass_mode lets the merger fill `always`. +# +# Every ruleset seeds repo admins (RepositoryRole id 5) as bypass actors so +# the org doesn't lock admins out. Repos can append more bypass_actors; for +# the admin entry itself, source-wins (you can't silently widen admin bypass +# to `always` if the org set `pull_request`). +rulesets: + # ---- 1. No delete / no force-push on the default branch ---- + - name: protect-default-branch + target: branch + enforcement: active # always enforced — overriding this is discouraged + conditions: + ref_name: + include: + - "~DEFAULT_BRANCH" # special selector: whatever the default branch is + exclude: [] + bypass_actors: + # Repo admins can bypass (always = prompts at push/merge time, not silent exempt). + # Repos can add more actors (other teams, integrations). + - actor_id: 5 + actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin + bypass_mode: always + - actor_id: 101490915 + actor_type: Integration + bypass_mode: always + rules: + - type: deletion # block branch deletion + - type: non_fast_forward # block force-push + + # ---- 2. PR required (0 reviews) ---- + - name: require-pr + target: branch + enforcement: active + conditions: + ref_name: + include: ["~DEFAULT_BRANCH"] + exclude: [] + bypass_actors: + # Repo admins can bypass (always = prompts at push/merge time, not silent exempt). + # Repos can add more actors (other teams, integrations). + - actor_id: 5 + actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin + bypass_mode: always + - actor_id: 101490915 + actor_type: Integration + bypass_mode: always + rules: + - type: pull_request + parameters: + required_approving_review_count: 0 + # Possible additional parameters (commented for repos to opt in): + # dismiss_stale_reviews_on_push: false + # require_code_owner_review: false + # require_last_push_approval: false + # required_review_thread_resolution: false + # allowed_merge_methods: [merge, squash, rebase] + + # - # ---- 3. Checks required ---- + # # NOTE: shipped ACTIVE with an empty required_status_checks list — a valid + # # GitHub config that's a no-op until a repo populates the list. Repos just + # # add entries under required_status_checks below; no enforcement flip needed. + # # The org doesn't mandate specific status checks (each repo has its own CI), + # # which is why the list is empty here. + # name: require-checks + # target: branch + # enforcement: active + # conditions: + # ref_name: + # include: ["~DEFAULT_BRANCH"] + # exclude: [] + # bypass_actors: + # # Repo admins can bypass (always = prompts at push/merge time, not silent exempt). + # # Repos can add more actors (other teams, integrations). + # - actor_id: 5 + # actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin + # bypass_mode: always + # rules: + # - type: required_status_checks + # parameters: + # strict_required_status_checks_policy: true + # required_status_checks: [] # ← repos add { context, integration_id } entries + + # ---- 4. Review required — 1 reviewer (active by default) ---- + - name: require-1-review + target: branch + enforcement: active + conditions: + ref_name: + include: ["~DEFAULT_BRANCH"] + exclude: [] + bypass_actors: + # Repo admins can bypass (always = prompts at push/merge time, not silent exempt). + # Repos can add more actors (other teams, integrations). + - actor_id: 5 + actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin + bypass_mode: always + - actor_id: 101490915 + actor_type: Integration + bypass_mode: always + rules: + - type: pull_request + parameters: + required_approving_review_count: 1 + dismiss_stale_reviews_on_push: true + require_last_push_approval: false + required_review_thread_resolution: true + + # ---- 5. Review required — 1 reviewer from CODEOWNERS (disabled by default) ---- + # NOTE: shipped DISABLED. Repos with a meaningful CODEOWNERS file flip to + # `enforcement: active` and likely set `require-1-review.enforcement: disabled` + # so the two don't double up. + - name: require-codeowner-review + target: branch + enforcement: disabled + # enforcement: 'active' # uncomment (and remove the disabled line above) to enable + conditions: + ref_name: + include: ["~DEFAULT_BRANCH"] + exclude: [] + bypass_actors: + # Repo admins can bypass (always = prompts at push/merge time, not silent exempt). + # Repos can add more actors (other teams, integrations). + - actor_id: 5 + actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin + bypass_mode: always + - actor_id: 101490915 + actor_type: Integration + bypass_mode: always + rules: + - type: pull_request + parameters: + required_approving_review_count: 1 + require_code_owner_review: true + dismiss_stale_reviews_on_push: true + required_review_thread_resolution: true + - name: require-checks + target: branch + enforcement: active + conditions: + ref_name: + include: ["~DEFAULT_BRANCH"] + exclude: [] + bypass_actors: + # Repo admins can bypass (always = prompts at push/merge time, not silent exempt). + # Repos can add more actors (other teams, integrations). + - actor_id: 5 + actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin + bypass_mode: always + - actor_id: 101490915 + actor_type: Integration + bypass_mode: always + rules: + - type: required_status_checks + parameters: + strict_required_status_checks_policy: true + required_status_checks: [] # ← repos add { context, integration_id } entries + + # ---- 4. Review required — 1 reviewer (active by default) ---- From de6bb3356c5f33181f184e268acaea1b2564253f Mon Sep 17 00:00:00 2001 From: "automation-nsheaps[bot]" <251779498+automation-nsheaps[bot]@users.noreply.github.com> Date: Thu, 28 May 2026 23:19:28 +0000 Subject: [PATCH 2/2] chore: `mise format` Triggered by: f48b3b127103530cbe18862768dc01dafdd0f9f4 Workflow run: https://github.com/nsheaps/github-actions/actions/runs/26608003128 --- .github/settings.yml | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/settings.yml b/.github/settings.yml index 97021a5..6f7c97d 100644 --- a/.github/settings.yml +++ b/.github/settings.yml @@ -132,27 +132,27 @@ repository: # the admin entry itself, source-wins (you can't silently widen admin bypass # to `always` if the org set `pull_request`). rulesets: - # ---- 1. No delete / no force-push on the default branch ---- + # ---- 1. No delete / no force-push on the default branch ---- - name: protect-default-branch target: branch - enforcement: active # always enforced — overriding this is discouraged + enforcement: active # always enforced — overriding this is discouraged conditions: ref_name: include: - - "~DEFAULT_BRANCH" # special selector: whatever the default branch is + - '~DEFAULT_BRANCH' # special selector: whatever the default branch is exclude: [] bypass_actors: # Repo admins can bypass (always = prompts at push/merge time, not silent exempt). # Repos can add more actors (other teams, integrations). - actor_id: 5 - actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin + actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin bypass_mode: always - actor_id: 101490915 actor_type: Integration bypass_mode: always rules: - - type: deletion # block branch deletion - - type: non_fast_forward # block force-push + - type: deletion # block branch deletion + - type: non_fast_forward # block force-push # ---- 2. PR required (0 reviews) ---- - name: require-pr @@ -160,13 +160,13 @@ rulesets: enforcement: active conditions: ref_name: - include: ["~DEFAULT_BRANCH"] + include: ['~DEFAULT_BRANCH'] exclude: [] bypass_actors: # Repo admins can bypass (always = prompts at push/merge time, not silent exempt). # Repos can add more actors (other teams, integrations). - actor_id: 5 - actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin + actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin bypass_mode: always - actor_id: 101490915 actor_type: Integration @@ -206,20 +206,19 @@ rulesets: # parameters: # strict_required_status_checks_policy: true # required_status_checks: [] # ← repos add { context, integration_id } entries - - # ---- 4. Review required — 1 reviewer (active by default) ---- + # ---- 4. Review required — 1 reviewer (active by default) ---- - name: require-1-review target: branch enforcement: active conditions: ref_name: - include: ["~DEFAULT_BRANCH"] + include: ['~DEFAULT_BRANCH'] exclude: [] bypass_actors: # Repo admins can bypass (always = prompts at push/merge time, not silent exempt). # Repos can add more actors (other teams, integrations). - actor_id: 5 - actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin + actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin bypass_mode: always - actor_id: 101490915 actor_type: Integration @@ -242,13 +241,13 @@ rulesets: # enforcement: 'active' # uncomment (and remove the disabled line above) to enable conditions: ref_name: - include: ["~DEFAULT_BRANCH"] + include: ['~DEFAULT_BRANCH'] exclude: [] bypass_actors: # Repo admins can bypass (always = prompts at push/merge time, not silent exempt). # Repos can add more actors (other teams, integrations). - actor_id: 5 - actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin + actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin bypass_mode: always - actor_id: 101490915 actor_type: Integration @@ -265,13 +264,13 @@ rulesets: enforcement: active conditions: ref_name: - include: ["~DEFAULT_BRANCH"] + include: ['~DEFAULT_BRANCH'] exclude: [] bypass_actors: # Repo admins can bypass (always = prompts at push/merge time, not silent exempt). # Repos can add more actors (other teams, integrations). - actor_id: 5 - actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin + actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin bypass_mode: always - actor_id: 101490915 actor_type: Integration @@ -280,6 +279,7 @@ rulesets: - type: required_status_checks parameters: strict_required_status_checks_policy: true - required_status_checks: [] # ← repos add { context, integration_id } entries + required_status_checks: [] # ← repos add { context, integration_id } entries + # ---- 4. Review required — 1 reviewer (active by default) ----