From 698ed482ce5a95c337588f44ba13f6f841b92c06 Mon Sep 17 00:00:00 2001 From: "automation-nsheaps[bot]" <251779498+automation-nsheaps[bot]@users.noreply.github.com> Date: Sat, 30 May 2026 00:22:23 +0000 Subject: [PATCH 1/2] [sync] Create .github/settings.yml --- .github/settings.yml | 284 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 284 insertions(+) create mode 100644 .github/settings.yml diff --git a/.github/settings.yml b/.github/settings.yml new file mode 100644 index 0000000..5378648 --- /dev/null +++ b/.github/settings.yml @@ -0,0 +1,284 @@ +# ---------------------------------------------------------------- +# Auto-merged from nsheaps/.github on every sync. +# Source: https://github.com/nsheaps/.github/blob/6133faed3e0ec6fd17848fdc826a0b80426f664e/.github/repo-settings.yaml +# Edits to this file are KEPT on the next sync (deep merge). +# To remove an org default, delete the key here — it will not come back. +# ---------------------------------------------------------------- +# ---------------------------------------------------------------- +# nsheaps org-wide repository defaults — TEMPLATE +# +# This file is the source of truth. It contains ${ENV_VAR} placeholders +# that get substituted by the render-repo-settings workflow (envsubst), +# which writes the rendered output to repo-settings.yaml in this repo. +# Edit this file (not repo-settings.yaml) for org-wide changes. +# +# Render workflow: +# https://github.com/nsheaps/.github/blob/main/.github/workflows/render-repo-settings.yaml +# +# After rendering, the resolved repo-settings.yaml is deep-merged into +# each managed repo's .github/settings.yml by sync-repo-settings: +# https://github.com/nsheaps/.github/blob/main/.github/workflows/sync-repo-settings.yaml +# +# Merger script + tests: +# https://github.com/nsheaps/.github/blob/main/scripts/repo_settings_merge.py +# +# Merge semantics — short version: +# - scalars : target wins (repo's existing value preserved) +# - mappings : recurse +# - rulesets[] : matched by `name`, deep-merged per item +# - rulesets[].rules[] : matched by `type`, deep-merged per item +# - bypass_actors[] : matched by (actor_id, actor_type) — SOURCE wins on scalars +# - enforcement omitted : normalized to `active` at write time +# +# Do not set per-repo identity (name/description/homepage/topics) here — +# those belong to each repo. +# +# `# @default` convention: lines tagged `# @default` are uncommented ONLY +# on a repo's FIRST sync (when it has no settings.yml yet). After that the +# commented source line is invisible to deep-merge, so a later change to +# the commented value can't accidentally overwrite the repo's value. +# ---------------------------------------------------------------- + +# These settings affect the repository itself. +# See https://docs.github.com/en/rest/repos/repos#update-a-repository +repository: + # NOTE: We deliberately do NOT set `name`, `description`, `homepage`, + # or `topics` from the org defaults — those belong to each repo. + # Edit them directly in your repo's .github/settings.yml. + # + # The booleans below are commented with `# @default` — they're set on + # this repo's FIRST sync only. After that, your value wins; org changes + # to the commented line are invisible to subsequent merges. + + # A short description of the repository that will show up on GitHub + # description: ... + + # A URL with more information about the repository + # homepage: https://example.github.io/ + + # A comma-separated list of topics to set on the repository + # topics: ... + + # Either `true` to make the repository private, or `false` to make it public. + # NOTE: intentionally not set org-wide — public/private is a per-repo decision. + # private: false + + # Either `true` to enable issues for this repository, `false` to disable them. + has_issues: true + + # Either `true` to enable projects for this repository, or `false` to disable them. + # NOTE: We use org-level projects, not repo-level. + has_projects: false + + # Either `true` to enable the wiki for this repository, `false` to disable it. + has_wiki: false + + # Either `true` to enable downloads for this repository, `false` to disable them. + has_downloads: false + + # Updates the default branch for this repository. + default_branch: main + + # Either `true` to allow squash-merging pull requests, or `false` to prevent + # squash-merging. + allow_squash_merge: true + + # Either `true` to allow merging pull requests with a merge commit, or `false` + # to prevent merging pull requests with merge commits. + allow_merge_commit: false + + # Either `true` to allow rebase-merging pull requests, or `false` to prevent + # rebase-merging. + allow_rebase_merge: true + + # Either `true` to enable automatic deletion of branches on merge, or `false` + # to disable. + delete_branch_on_merge: true + + # Either `true` to allow auto-merge on pull requests, or `false` to disallow. + allow_auto_merge: true + + # The default value for a squash merge commit title: + # - PR_TITLE — default to the pull request's title + # - COMMIT_OR_PR_TITLE — default to the commit's title (if only one commit) + # or the pull request's title (when more than one commit) + squash_merge_commit_title: PR_TITLE + + # The default value for a squash merge commit message: + # - PR_BODY — default to the pull request's body + # - COMMIT_MESSAGES — default to the branch's commit messages + # - BLANK — default to a blank commit message + squash_merge_commit_message: PR_BODY + +# Labels: managed centrally via .github/labels.yaml + sync-labels workflow. +# Intentionally omitted here so the two sources don't fight. + +# Rulesets — repository-level branch/tag rulesets. +# Docs: https://github.com/repository-settings/app/blob/master/docs/plugins/rulesets.md +# API : https://docs.github.com/en/rest/repos/rules +# +# enforcement values: +# - active : rules are enforced +# - disabled : ruleset exists but is not enforced (dormant) +# - evaluate : rules are checked and reported but not enforced (preview) +# NOTE: If `enforcement` is omitted on a ruleset, the sync writer fills it +# with `active`. Each ruleset below either: +# - sets `enforcement: active` (always-on org policy — overriding is discouraged), or +# - sets `enforcement: disabled` plus a commented `# enforcement: 'active'` +# sibling that a repo can uncomment (and delete the disabled line) to enable, or +# - omits `enforcement` and provides a commented `# enforcement: 'active'` +# hint that a repo can uncomment to lock the ruleset on explicitly. +# +# bypass_actors[].bypass_mode values: +# - always : prompts the user to bypass at push/merge time (GitHub UI default) +# - pull_request : bypass only allowed via a PR (push-time bypass blocked) +# NOTE: omitting bypass_mode lets the merger fill `always`. +# +# Every ruleset seeds repo admins (RepositoryRole id 5) as bypass actors so +# the org doesn't lock admins out. Repos can append more bypass_actors; for +# the admin entry itself, source-wins (you can't silently widen admin bypass +# to `always` if the org set `pull_request`). +rulesets: + # ---- 1. No delete / no force-push on the default branch ---- + - name: protect-default-branch + target: branch + enforcement: active # always enforced — overriding this is discouraged + conditions: + ref_name: + include: + - "~DEFAULT_BRANCH" # special selector: whatever the default branch is + exclude: [] + bypass_actors: + # Repo admins can bypass (always = prompts at push/merge time, not silent exempt). + # Repos can add more actors (other teams, integrations). + - actor_id: 5 + actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin + bypass_mode: always + # automation-nsheaps GitHub App — actor_id is substituted from 2549081 + # by render-repo-settings when this template is rendered to repo-settings.yaml. + - actor_id: 2549081 + actor_type: Integration + bypass_mode: always + rules: + - type: deletion # block branch deletion + - type: non_fast_forward # block force-push + + # ---- 2. PR required (0 reviews) ---- + - name: require-pr + target: branch + # enforcement: 'active' # uncomment to lock this ruleset on in this repo + conditions: + ref_name: + include: ["~DEFAULT_BRANCH"] + exclude: [] + bypass_actors: + # Repo admins can bypass (always = prompts at push/merge time, not silent exempt). + # Repos can add more actors (other teams, integrations). + - actor_id: 5 + actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin + bypass_mode: always + # automation-nsheaps GitHub App — actor_id is substituted from 2549081 + # by render-repo-settings when this template is rendered to repo-settings.yaml. + - actor_id: 2549081 + actor_type: Integration + bypass_mode: exempt + rules: + - type: pull_request + # parameters: + # Possible additional parameters (commented for repos to opt in): + # required_approving_review_count: 0 + # dismiss_stale_reviews_on_push: false + # require_code_owner_review: false + # require_last_push_approval: false + # required_review_thread_resolution: false + # allowed_merge_methods: [merge, squash, rebase] + + # ---- 3. Checks required ---- + # NOTE: shipped ACTIVE with an empty required_status_checks list — a valid + # GitHub config that's a no-op until a repo populates the list. Repos just + # add entries under required_status_checks below; no enforcement flip needed. + # The org doesn't mandate specific status checks (each repo has its own CI), + # which is why the list is empty here. + enforcement: active + - name: require-checks + target: branch + enforcement: active + conditions: + ref_name: + include: ["~DEFAULT_BRANCH"] + exclude: [] + bypass_actors: + # Repo admins can bypass (always = prompts at push/merge time, not silent exempt). + # Repos can add more actors (other teams, integrations). + - actor_id: 5 + actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin + bypass_mode: always + # automation-nsheaps GitHub App — actor_id is substituted from 2549081 + # by render-repo-settings when this template is rendered to repo-settings.yaml. + - actor_id: 2549081 + actor_type: Integration + bypass_mode: always + rules: + - type: required_status_checks + parameters: + strict_required_status_checks_policy: true + required_status_checks: [] # ← repos add { context, integration_id } entries + + # ---- 4. Review required — 1 reviewer (active by default) ---- + - name: require-1-review + target: branch + # enforcement: 'active' # uncomment to lock this ruleset on in this repo + conditions: + ref_name: + include: ["~DEFAULT_BRANCH"] + exclude: [] + bypass_actors: + # Repo admins can bypass (always = prompts at push/merge time, not silent exempt). + # Repos can add more actors (other teams, integrations). + - actor_id: 5 + actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin + bypass_mode: always + # automation-nsheaps GitHub App — actor_id is substituted from 2549081 + # by render-repo-settings when this template is rendered to repo-settings.yaml. + - actor_id: 2549081 + actor_type: Integration + bypass_mode: exempt + rules: + - type: pull_request + parameters: + required_approving_review_count: 1 + dismiss_stale_reviews_on_push: true + require_last_push_approval: false + required_review_thread_resolution: true + + # ---- 5. Review required — 1 reviewer from CODEOWNERS (disabled by default) ---- + # NOTE: shipped DISABLED. Repos with a meaningful CODEOWNERS file flip to + # `enforcement: active` and likely set `require-1-review.enforcement: disabled` + # so the two don't double up. + enforcement: active + - name: require-codeowner-review + target: branch + enforcement: disabled + # enforcement: 'active' # uncomment (and remove the disabled line above) to enable + conditions: + ref_name: + include: ["~DEFAULT_BRANCH"] + exclude: [] + bypass_actors: + # Repo admins can bypass (always = prompts at push/merge time, not silent exempt). + # Repos can add more actors (other teams, integrations). + - actor_id: 5 + actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin + bypass_mode: always + # automation-nsheaps GitHub App — actor_id is substituted from 2549081 + # by render-repo-settings when this template is rendered to repo-settings.yaml. + - actor_id: 2549081 + actor_type: Integration + bypass_mode: exempt + rules: + - type: pull_request + parameters: + required_approving_review_count: 1 + require_code_owner_review: true + dismiss_stale_reviews_on_push: true + required_review_thread_resolution: true From 96081698cbd1908cc4dc9f2bc55decc9b5b5305f Mon Sep 17 00:00:00 2001 From: "automation-nsheaps[bot]" <251779498+automation-nsheaps[bot]@users.noreply.github.com> Date: Sat, 30 May 2026 00:22:41 +0000 Subject: [PATCH 2/2] chore: `mise format` Triggered by: 7740a1e79d1638ebfb3dbd7b452ce8b184c2dc8d Workflow run: https://github.com/nsheaps/github-actions/actions/runs/26669010385 --- .github/settings.yml | 62 ++++++++++++++++++++++---------------------- 1 file changed, 31 insertions(+), 31 deletions(-) diff --git a/.github/settings.yml b/.github/settings.yml index 5378648..39c7e44 100644 --- a/.github/settings.yml +++ b/.github/settings.yml @@ -142,17 +142,17 @@ rulesets: # ---- 1. No delete / no force-push on the default branch ---- - name: protect-default-branch target: branch - enforcement: active # always enforced — overriding this is discouraged + enforcement: active # always enforced — overriding this is discouraged conditions: ref_name: include: - - "~DEFAULT_BRANCH" # special selector: whatever the default branch is + - '~DEFAULT_BRANCH' # special selector: whatever the default branch is exclude: [] bypass_actors: # Repo admins can bypass (always = prompts at push/merge time, not silent exempt). # Repos can add more actors (other teams, integrations). - actor_id: 5 - actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin + actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin bypass_mode: always # automation-nsheaps GitHub App — actor_id is substituted from 2549081 # by render-repo-settings when this template is rendered to repo-settings.yaml. @@ -160,8 +160,8 @@ rulesets: actor_type: Integration bypass_mode: always rules: - - type: deletion # block branch deletion - - type: non_fast_forward # block force-push + - type: deletion # block branch deletion + - type: non_fast_forward # block force-push # ---- 2. PR required (0 reviews) ---- - name: require-pr @@ -169,13 +169,13 @@ rulesets: # enforcement: 'active' # uncomment to lock this ruleset on in this repo conditions: ref_name: - include: ["~DEFAULT_BRANCH"] + include: ['~DEFAULT_BRANCH'] exclude: [] bypass_actors: # Repo admins can bypass (always = prompts at push/merge time, not silent exempt). # Repos can add more actors (other teams, integrations). - actor_id: 5 - actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin + actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin bypass_mode: always # automation-nsheaps GitHub App — actor_id is substituted from 2549081 # by render-repo-settings when this template is rendered to repo-settings.yaml. @@ -185,33 +185,33 @@ rulesets: rules: - type: pull_request # parameters: - # Possible additional parameters (commented for repos to opt in): - # required_approving_review_count: 0 - # dismiss_stale_reviews_on_push: false - # require_code_owner_review: false - # require_last_push_approval: false - # required_review_thread_resolution: false - # allowed_merge_methods: [merge, squash, rebase] + # Possible additional parameters (commented for repos to opt in): + # required_approving_review_count: 0 + # dismiss_stale_reviews_on_push: false + # require_code_owner_review: false + # require_last_push_approval: false + # required_review_thread_resolution: false + # allowed_merge_methods: [merge, squash, rebase] - # ---- 3. Checks required ---- - # NOTE: shipped ACTIVE with an empty required_status_checks list — a valid - # GitHub config that's a no-op until a repo populates the list. Repos just - # add entries under required_status_checks below; no enforcement flip needed. - # The org doesn't mandate specific status checks (each repo has its own CI), - # which is why the list is empty here. + # ---- 3. Checks required ---- + # NOTE: shipped ACTIVE with an empty required_status_checks list — a valid + # GitHub config that's a no-op until a repo populates the list. Repos just + # add entries under required_status_checks below; no enforcement flip needed. + # The org doesn't mandate specific status checks (each repo has its own CI), + # which is why the list is empty here. enforcement: active - name: require-checks target: branch enforcement: active conditions: ref_name: - include: ["~DEFAULT_BRANCH"] + include: ['~DEFAULT_BRANCH'] exclude: [] bypass_actors: # Repo admins can bypass (always = prompts at push/merge time, not silent exempt). # Repos can add more actors (other teams, integrations). - actor_id: 5 - actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin + actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin bypass_mode: always # automation-nsheaps GitHub App — actor_id is substituted from 2549081 # by render-repo-settings when this template is rendered to repo-settings.yaml. @@ -222,7 +222,7 @@ rulesets: - type: required_status_checks parameters: strict_required_status_checks_policy: true - required_status_checks: [] # ← repos add { context, integration_id } entries + required_status_checks: [] # ← repos add { context, integration_id } entries # ---- 4. Review required — 1 reviewer (active by default) ---- - name: require-1-review @@ -230,13 +230,13 @@ rulesets: # enforcement: 'active' # uncomment to lock this ruleset on in this repo conditions: ref_name: - include: ["~DEFAULT_BRANCH"] + include: ['~DEFAULT_BRANCH'] exclude: [] bypass_actors: # Repo admins can bypass (always = prompts at push/merge time, not silent exempt). # Repos can add more actors (other teams, integrations). - actor_id: 5 - actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin + actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin bypass_mode: always # automation-nsheaps GitHub App — actor_id is substituted from 2549081 # by render-repo-settings when this template is rendered to repo-settings.yaml. @@ -251,10 +251,10 @@ rulesets: require_last_push_approval: false required_review_thread_resolution: true - # ---- 5. Review required — 1 reviewer from CODEOWNERS (disabled by default) ---- - # NOTE: shipped DISABLED. Repos with a meaningful CODEOWNERS file flip to - # `enforcement: active` and likely set `require-1-review.enforcement: disabled` - # so the two don't double up. + # ---- 5. Review required — 1 reviewer from CODEOWNERS (disabled by default) ---- + # NOTE: shipped DISABLED. Repos with a meaningful CODEOWNERS file flip to + # `enforcement: active` and likely set `require-1-review.enforcement: disabled` + # so the two don't double up. enforcement: active - name: require-codeowner-review target: branch @@ -262,13 +262,13 @@ rulesets: # enforcement: 'active' # uncomment (and remove the disabled line above) to enable conditions: ref_name: - include: ["~DEFAULT_BRANCH"] + include: ['~DEFAULT_BRANCH'] exclude: [] bypass_actors: # Repo admins can bypass (always = prompts at push/merge time, not silent exempt). # Repos can add more actors (other teams, integrations). - actor_id: 5 - actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin + actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin bypass_mode: always # automation-nsheaps GitHub App — actor_id is substituted from 2549081 # by render-repo-settings when this template is rendered to repo-settings.yaml.