diff --git a/.github/settings.yml b/.github/settings.yml new file mode 100644 index 0000000..39c7e44 --- /dev/null +++ b/.github/settings.yml @@ -0,0 +1,284 @@ +# ---------------------------------------------------------------- +# Auto-merged from nsheaps/.github on every sync. +# Source: https://github.com/nsheaps/.github/blob/6133faed3e0ec6fd17848fdc826a0b80426f664e/.github/repo-settings.yaml +# Edits to this file are KEPT on the next sync (deep merge). +# To remove an org default, delete the key here — it will not come back. +# ---------------------------------------------------------------- +# ---------------------------------------------------------------- +# nsheaps org-wide repository defaults — TEMPLATE +# +# This file is the source of truth. It contains ${ENV_VAR} placeholders +# that get substituted by the render-repo-settings workflow (envsubst), +# which writes the rendered output to repo-settings.yaml in this repo. +# Edit this file (not repo-settings.yaml) for org-wide changes. +# +# Render workflow: +# https://github.com/nsheaps/.github/blob/main/.github/workflows/render-repo-settings.yaml +# +# After rendering, the resolved repo-settings.yaml is deep-merged into +# each managed repo's .github/settings.yml by sync-repo-settings: +# https://github.com/nsheaps/.github/blob/main/.github/workflows/sync-repo-settings.yaml +# +# Merger script + tests: +# https://github.com/nsheaps/.github/blob/main/scripts/repo_settings_merge.py +# +# Merge semantics — short version: +# - scalars : target wins (repo's existing value preserved) +# - mappings : recurse +# - rulesets[] : matched by `name`, deep-merged per item +# - rulesets[].rules[] : matched by `type`, deep-merged per item +# - bypass_actors[] : matched by (actor_id, actor_type) — SOURCE wins on scalars +# - enforcement omitted : normalized to `active` at write time +# +# Do not set per-repo identity (name/description/homepage/topics) here — +# those belong to each repo. +# +# `# @default` convention: lines tagged `# @default` are uncommented ONLY +# on a repo's FIRST sync (when it has no settings.yml yet). After that the +# commented source line is invisible to deep-merge, so a later change to +# the commented value can't accidentally overwrite the repo's value. +# ---------------------------------------------------------------- + +# These settings affect the repository itself. +# See https://docs.github.com/en/rest/repos/repos#update-a-repository +repository: + # NOTE: We deliberately do NOT set `name`, `description`, `homepage`, + # or `topics` from the org defaults — those belong to each repo. + # Edit them directly in your repo's .github/settings.yml. + # + # The booleans below are commented with `# @default` — they're set on + # this repo's FIRST sync only. After that, your value wins; org changes + # to the commented line are invisible to subsequent merges. + + # A short description of the repository that will show up on GitHub + # description: ... + + # A URL with more information about the repository + # homepage: https://example.github.io/ + + # A comma-separated list of topics to set on the repository + # topics: ... + + # Either `true` to make the repository private, or `false` to make it public. + # NOTE: intentionally not set org-wide — public/private is a per-repo decision. + # private: false + + # Either `true` to enable issues for this repository, `false` to disable them. + has_issues: true + + # Either `true` to enable projects for this repository, or `false` to disable them. + # NOTE: We use org-level projects, not repo-level. + has_projects: false + + # Either `true` to enable the wiki for this repository, `false` to disable it. + has_wiki: false + + # Either `true` to enable downloads for this repository, `false` to disable them. + has_downloads: false + + # Updates the default branch for this repository. + default_branch: main + + # Either `true` to allow squash-merging pull requests, or `false` to prevent + # squash-merging. + allow_squash_merge: true + + # Either `true` to allow merging pull requests with a merge commit, or `false` + # to prevent merging pull requests with merge commits. + allow_merge_commit: false + + # Either `true` to allow rebase-merging pull requests, or `false` to prevent + # rebase-merging. + allow_rebase_merge: true + + # Either `true` to enable automatic deletion of branches on merge, or `false` + # to disable. + delete_branch_on_merge: true + + # Either `true` to allow auto-merge on pull requests, or `false` to disallow. + allow_auto_merge: true + + # The default value for a squash merge commit title: + # - PR_TITLE — default to the pull request's title + # - COMMIT_OR_PR_TITLE — default to the commit's title (if only one commit) + # or the pull request's title (when more than one commit) + squash_merge_commit_title: PR_TITLE + + # The default value for a squash merge commit message: + # - PR_BODY — default to the pull request's body + # - COMMIT_MESSAGES — default to the branch's commit messages + # - BLANK — default to a blank commit message + squash_merge_commit_message: PR_BODY + +# Labels: managed centrally via .github/labels.yaml + sync-labels workflow. +# Intentionally omitted here so the two sources don't fight. + +# Rulesets — repository-level branch/tag rulesets. +# Docs: https://github.com/repository-settings/app/blob/master/docs/plugins/rulesets.md +# API : https://docs.github.com/en/rest/repos/rules +# +# enforcement values: +# - active : rules are enforced +# - disabled : ruleset exists but is not enforced (dormant) +# - evaluate : rules are checked and reported but not enforced (preview) +# NOTE: If `enforcement` is omitted on a ruleset, the sync writer fills it +# with `active`. Each ruleset below either: +# - sets `enforcement: active` (always-on org policy — overriding is discouraged), or +# - sets `enforcement: disabled` plus a commented `# enforcement: 'active'` +# sibling that a repo can uncomment (and delete the disabled line) to enable, or +# - omits `enforcement` and provides a commented `# enforcement: 'active'` +# hint that a repo can uncomment to lock the ruleset on explicitly. +# +# bypass_actors[].bypass_mode values: +# - always : prompts the user to bypass at push/merge time (GitHub UI default) +# - pull_request : bypass only allowed via a PR (push-time bypass blocked) +# NOTE: omitting bypass_mode lets the merger fill `always`. +# +# Every ruleset seeds repo admins (RepositoryRole id 5) as bypass actors so +# the org doesn't lock admins out. Repos can append more bypass_actors; for +# the admin entry itself, source-wins (you can't silently widen admin bypass +# to `always` if the org set `pull_request`). +rulesets: + # ---- 1. No delete / no force-push on the default branch ---- + - name: protect-default-branch + target: branch + enforcement: active # always enforced — overriding this is discouraged + conditions: + ref_name: + include: + - '~DEFAULT_BRANCH' # special selector: whatever the default branch is + exclude: [] + bypass_actors: + # Repo admins can bypass (always = prompts at push/merge time, not silent exempt). + # Repos can add more actors (other teams, integrations). + - actor_id: 5 + actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin + bypass_mode: always + # automation-nsheaps GitHub App — actor_id is substituted from 2549081 + # by render-repo-settings when this template is rendered to repo-settings.yaml. + - actor_id: 2549081 + actor_type: Integration + bypass_mode: always + rules: + - type: deletion # block branch deletion + - type: non_fast_forward # block force-push + + # ---- 2. PR required (0 reviews) ---- + - name: require-pr + target: branch + # enforcement: 'active' # uncomment to lock this ruleset on in this repo + conditions: + ref_name: + include: ['~DEFAULT_BRANCH'] + exclude: [] + bypass_actors: + # Repo admins can bypass (always = prompts at push/merge time, not silent exempt). + # Repos can add more actors (other teams, integrations). + - actor_id: 5 + actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin + bypass_mode: always + # automation-nsheaps GitHub App — actor_id is substituted from 2549081 + # by render-repo-settings when this template is rendered to repo-settings.yaml. + - actor_id: 2549081 + actor_type: Integration + bypass_mode: exempt + rules: + - type: pull_request + # parameters: + # Possible additional parameters (commented for repos to opt in): + # required_approving_review_count: 0 + # dismiss_stale_reviews_on_push: false + # require_code_owner_review: false + # require_last_push_approval: false + # required_review_thread_resolution: false + # allowed_merge_methods: [merge, squash, rebase] + + # ---- 3. Checks required ---- + # NOTE: shipped ACTIVE with an empty required_status_checks list — a valid + # GitHub config that's a no-op until a repo populates the list. Repos just + # add entries under required_status_checks below; no enforcement flip needed. + # The org doesn't mandate specific status checks (each repo has its own CI), + # which is why the list is empty here. + enforcement: active + - name: require-checks + target: branch + enforcement: active + conditions: + ref_name: + include: ['~DEFAULT_BRANCH'] + exclude: [] + bypass_actors: + # Repo admins can bypass (always = prompts at push/merge time, not silent exempt). + # Repos can add more actors (other teams, integrations). + - actor_id: 5 + actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin + bypass_mode: always + # automation-nsheaps GitHub App — actor_id is substituted from 2549081 + # by render-repo-settings when this template is rendered to repo-settings.yaml. + - actor_id: 2549081 + actor_type: Integration + bypass_mode: always + rules: + - type: required_status_checks + parameters: + strict_required_status_checks_policy: true + required_status_checks: [] # ← repos add { context, integration_id } entries + + # ---- 4. Review required — 1 reviewer (active by default) ---- + - name: require-1-review + target: branch + # enforcement: 'active' # uncomment to lock this ruleset on in this repo + conditions: + ref_name: + include: ['~DEFAULT_BRANCH'] + exclude: [] + bypass_actors: + # Repo admins can bypass (always = prompts at push/merge time, not silent exempt). + # Repos can add more actors (other teams, integrations). + - actor_id: 5 + actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin + bypass_mode: always + # automation-nsheaps GitHub App — actor_id is substituted from 2549081 + # by render-repo-settings when this template is rendered to repo-settings.yaml. + - actor_id: 2549081 + actor_type: Integration + bypass_mode: exempt + rules: + - type: pull_request + parameters: + required_approving_review_count: 1 + dismiss_stale_reviews_on_push: true + require_last_push_approval: false + required_review_thread_resolution: true + + # ---- 5. Review required — 1 reviewer from CODEOWNERS (disabled by default) ---- + # NOTE: shipped DISABLED. Repos with a meaningful CODEOWNERS file flip to + # `enforcement: active` and likely set `require-1-review.enforcement: disabled` + # so the two don't double up. + enforcement: active + - name: require-codeowner-review + target: branch + enforcement: disabled + # enforcement: 'active' # uncomment (and remove the disabled line above) to enable + conditions: + ref_name: + include: ['~DEFAULT_BRANCH'] + exclude: [] + bypass_actors: + # Repo admins can bypass (always = prompts at push/merge time, not silent exempt). + # Repos can add more actors (other teams, integrations). + - actor_id: 5 + actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin + bypass_mode: always + # automation-nsheaps GitHub App — actor_id is substituted from 2549081 + # by render-repo-settings when this template is rendered to repo-settings.yaml. + - actor_id: 2549081 + actor_type: Integration + bypass_mode: exempt + rules: + - type: pull_request + parameters: + required_approving_review_count: 1 + require_code_owner_review: true + dismiss_stale_reviews_on_push: true + required_review_thread_resolution: true