From 02e1ff5ed92186373386fd9af53d69d8c9c0f5b0 Mon Sep 17 00:00:00 2001
From: "automation-nsheaps[bot]"
 <251779498+automation-nsheaps[bot]@users.noreply.github.com>
Date: Fri, 29 May 2026 01:39:08 +0000
Subject: [PATCH] [sync] Create .github/workflows/apply-repo-settings.yaml

---
 .github/workflows/apply-repo-settings.yaml | 64 ++++++++++++++++++++++
 1 file changed, 64 insertions(+)
 create mode 100644 .github/workflows/apply-repo-settings.yaml

diff --git a/.github/workflows/apply-repo-settings.yaml b/.github/workflows/apply-repo-settings.yaml
new file mode 100644
index 0000000..29b03bf
--- /dev/null
+++ b/.github/workflows/apply-repo-settings.yaml
@@ -0,0 +1,64 @@
+# This file is managed by nsheaps/.github (sync-files).
+# Source: https://github.com/nsheaps/.github/blob/main/ansible/templates/.github/workflows/apply-repo-settings.yaml
+# Edit-in-place will be overwritten on the next sync.
+name: Apply Repo Settings
+
+# Reads `.github/settings.yml` from THIS repo and applies the
+# repository config + rulesets via the apply-repo-settings action
+# (https://github.com/nsheaps/github-actions/tree/main/.github/actions/apply-repo-settings).
+#
+# Ephemeral, in-workflow alternative to the third-party
+# repository-settings GitHub App. Runs only when invoked.
+#
+# Auth: reuses the org's automation App (AUTOMATION_GITHUB_APP_*) —
+# same app used by sync-labels / sync-files / sync-secrets / sync-stars.
+# That app must have `Administration: write` for rulesets to apply; if
+# they don't, check the app's permission grants first.
+#
+# Triggers:
+#   workflow_dispatch    manual, with dry-run toggle
+#   repository_dispatch  external triggers (other workflows / curl)
+#   push to main         when .github/settings.yml changes
+
+on:
+  workflow_dispatch:
+    inputs:
+      dry-run:
+        description: "Render only; don't apply"
+        type: boolean
+        default: false
+  repository_dispatch:
+    types: [apply-repo-settings]
+  push:
+    branches: [main]
+    paths:
+      - '.github/settings.yml'
+      - '.github/workflows/apply-repo-settings.yaml'
+
+permissions:
+  contents: read
+
+concurrency:
+  # Serialize per-ref so a fast follow-up push waits for the in-flight run.
+  group: apply-repo-settings-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  apply:
+    name: Apply settings to this repo
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Apply
+        id: apply
+        uses: nsheaps/github-actions/.github/actions/apply-repo-settings@main
+        with:
+          app-id: ${{ secrets.AUTOMATION_GITHUB_APP_ID }}
+          private-key: ${{ secrets.AUTOMATION_GITHUB_APP_PRIVATE_KEY }}
+          dry-run: ${{ inputs.dry-run || false }}
+
+      - name: Show summary
+        if: always()
+        run: |
+          echo "Summary: ${{ steps.apply.outputs.summary }}"