[sync] Update .github/settings.yml

.github/settings.yml

@@ -0,0 +1,284 @@
+# ----------------------------------------------------------------
+# Auto-merged from nsheaps/.github on every sync.
+#   Source: https://github.com/nsheaps/.github/blob/6133faed3e0ec6fd17848fdc826a0b80426f664e/.github/repo-settings.yaml
+# Edits to this file are KEPT on the next sync (deep merge).
+# To remove an org default, delete the key here — it will not come back.
+# ----------------------------------------------------------------
+# ----------------------------------------------------------------
+# nsheaps org-wide repository defaults — TEMPLATE
+#
+# This file is the source of truth. It contains ${ENV_VAR} placeholders
+# that get substituted by the render-repo-settings workflow (envsubst),
+# which writes the rendered output to repo-settings.yaml in this repo.
+# Edit this file (not repo-settings.yaml) for org-wide changes.
+#
+# Render workflow:
+#   https://github.com/nsheaps/.github/blob/main/.github/workflows/render-repo-settings.yaml
+#
+# After rendering, the resolved repo-settings.yaml is deep-merged into
+# each managed repo's .github/settings.yml by sync-repo-settings:
+#   https://github.com/nsheaps/.github/blob/main/.github/workflows/sync-repo-settings.yaml
+#
+# Merger script + tests:
+#   https://github.com/nsheaps/.github/blob/main/scripts/repo_settings_merge.py
+#
+# Merge semantics — short version:
+#   - scalars             : target wins (repo's existing value preserved)
+#   - mappings            : recurse
+#   - rulesets[]          : matched by `name`, deep-merged per item
+#   - rulesets[].rules[]  : matched by `type`, deep-merged per item
+#   - bypass_actors[]     : matched by (actor_id, actor_type) — SOURCE wins on scalars
+#   - enforcement omitted : normalized to `active` at write time
+#
+# Do not set per-repo identity (name/description/homepage/topics) here —
+# those belong to each repo.
+#
+# `# @default` convention: lines tagged `# @default` are uncommented ONLY
+# on a repo's FIRST sync (when it has no settings.yml yet). After that the
+# commented source line is invisible to deep-merge, so a later change to
+# the commented value can't accidentally overwrite the repo's value.
+# ----------------------------------------------------------------
+
+# These settings affect the repository itself.
+# See https://docs.github.com/en/rest/repos/repos#update-a-repository
+repository:
+  # NOTE: We deliberately do NOT set `name`, `description`, `homepage`,
+  # or `topics` from the org defaults — those belong to each repo.
+  # Edit them directly in your repo's .github/settings.yml.
+  #
+  # The booleans below are commented with `# @default` — they're set on
+  # this repo's FIRST sync only. After that, your value wins; org changes
+  # to the commented line are invisible to subsequent merges.
+
+  # A short description of the repository that will show up on GitHub
+  # description: ...
+
+  # A URL with more information about the repository
+  # homepage: https://example.github.io/
+
+  # A comma-separated list of topics to set on the repository
+  # topics: ...
+
+  # Either `true` to make the repository private, or `false` to make it public.
+  # NOTE: intentionally not set org-wide — public/private is a per-repo decision.
+  # private: false
+
+  # Either `true` to enable issues for this repository, `false` to disable them.
+  has_issues: true
+
+  # Either `true` to enable projects for this repository, or `false` to disable them.
+  # NOTE: We use org-level projects, not repo-level.
+  has_projects: false
+
+  # Either `true` to enable the wiki for this repository, `false` to disable it.
+  has_wiki: false
+
+  # Either `true` to enable downloads for this repository, `false` to disable them.
+  has_downloads: false
+
+  # Updates the default branch for this repository.
+  default_branch: main
+
+  # Either `true` to allow squash-merging pull requests, or `false` to prevent
+  # squash-merging.
+  allow_squash_merge: true
+
+  # Either `true` to allow merging pull requests with a merge commit, or `false`
+  # to prevent merging pull requests with merge commits.
+  allow_merge_commit: false
+
+  # Either `true` to allow rebase-merging pull requests, or `false` to prevent
+  # rebase-merging.
+  allow_rebase_merge: true
+
+  # Either `true` to enable automatic deletion of branches on merge, or `false`
+  # to disable.
+  delete_branch_on_merge: true
+
+  # Either `true` to allow auto-merge on pull requests, or `false` to disallow.
+  allow_auto_merge: true
+
+  # The default value for a squash merge commit title:
+  #   - PR_TITLE            — default to the pull request's title
+  #   - COMMIT_OR_PR_TITLE  — default to the commit's title (if only one commit)
+  #                           or the pull request's title (when more than one commit)
+  squash_merge_commit_title: PR_TITLE
+
+  # The default value for a squash merge commit message:
+  #   - PR_BODY             — default to the pull request's body
+  #   - COMMIT_MESSAGES     — default to the branch's commit messages
+  #   - BLANK               — default to a blank commit message
+  squash_merge_commit_message: PR_BODY
+
+# Labels: managed centrally via .github/labels.yaml + sync-labels workflow.
+# Intentionally omitted here so the two sources don't fight.
+
+# Rulesets — repository-level branch/tag rulesets.
+# Docs: https://github.com/repository-settings/app/blob/master/docs/plugins/rulesets.md
+# API : https://docs.github.com/en/rest/repos/rules
+#
+# enforcement values:
+#   - active    : rules are enforced
+#   - disabled  : ruleset exists but is not enforced (dormant)
+#   - evaluate  : rules are checked and reported but not enforced (preview)
+# NOTE: If `enforcement` is omitted on a ruleset, the sync writer fills it
+# with `active`. Each ruleset below either:
+#   - sets `enforcement: active` (always-on org policy — overriding is discouraged), or
+#   - sets `enforcement: disabled` plus a commented `# enforcement: 'active'`
+#     sibling that a repo can uncomment (and delete the disabled line) to enable, or
+#   - omits `enforcement` and provides a commented `# enforcement: 'active'`
+#     hint that a repo can uncomment to lock the ruleset on explicitly.
+#
+# bypass_actors[].bypass_mode values:
+#   - always       : prompts the user to bypass at push/merge time (GitHub UI default)
+#   - pull_request : bypass only allowed via a PR (push-time bypass blocked)
+# NOTE: omitting bypass_mode lets the merger fill `always`.
+#
+# Every ruleset seeds repo admins (RepositoryRole id 5) as bypass actors so
+# the org doesn't lock admins out. Repos can append more bypass_actors; for
+# the admin entry itself, source-wins (you can't silently widen admin bypass
+# to `always` if the org set `pull_request`).
+rulesets:
+  # ---- 1. No delete / no force-push on the default branch ----
+  - name: protect-default-branch
+    target: branch
+    enforcement: active # always enforced — overriding this is discouraged
+    conditions:
+      ref_name:
+        include:
+          - '~DEFAULT_BRANCH' # special selector: whatever the default branch is
+        exclude: []
+    bypass_actors:
+      # Repo admins can bypass (always = prompts at push/merge time, not silent exempt).
+      # Repos can add more actors (other teams, integrations).
+      - actor_id: 5
+        actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin
+        bypass_mode: always
+      # automation-nsheaps GitHub App — actor_id is substituted from 2549081
+      # by render-repo-settings when this template is rendered to repo-settings.yaml.
+      - actor_id: 2549081
+        actor_type: Integration
+        bypass_mode: always
+    rules:
+      - type: deletion # block branch deletion
+      - type: non_fast_forward # block force-push
+
+  # ---- 2. PR required (0 reviews) ----
+  - name: require-pr
+    target: branch
+    # enforcement: 'active'    # uncomment to lock this ruleset on in this repo
+    conditions:
+      ref_name:
+        include: ['~DEFAULT_BRANCH']
+        exclude: []
+    bypass_actors:
+      # Repo admins can bypass (always = prompts at push/merge time, not silent exempt).
+      # Repos can add more actors (other teams, integrations).
+      - actor_id: 5
+        actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin
+        bypass_mode: always
+      # automation-nsheaps GitHub App — actor_id is substituted from 2549081
+      # by render-repo-settings when this template is rendered to repo-settings.yaml.
+      - actor_id: 2549081
+        actor_type: Integration
+        bypass_mode: exempt
+    rules:
+      - type: pull_request
+        # parameters:
+        # Possible additional parameters (commented for repos to opt in):
+        # required_approving_review_count: 0
+        # dismiss_stale_reviews_on_push: false
+        # require_code_owner_review: false
+        # require_last_push_approval: false
+        # required_review_thread_resolution: false
+        # allowed_merge_methods: [merge, squash, rebase]
+
+    # ---- 3. Checks required ----
+    # NOTE: shipped ACTIVE with an empty required_status_checks list — a valid
+    # GitHub config that's a no-op until a repo populates the list. Repos just
+    # add entries under required_status_checks below; no enforcement flip needed.
+    # The org doesn't mandate specific status checks (each repo has its own CI),
+    # which is why the list is empty here.
+    enforcement: active
+  - name: require-checks
+    target: branch
+    enforcement: active
+    conditions:
+      ref_name:
+        include: ['~DEFAULT_BRANCH']
+        exclude: []
+    bypass_actors:
+      # Repo admins can bypass (always = prompts at push/merge time, not silent exempt).
+      # Repos can add more actors (other teams, integrations).
+      - actor_id: 5
+        actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin
+        bypass_mode: always
+      # automation-nsheaps GitHub App — actor_id is substituted from 2549081
+      # by render-repo-settings when this template is rendered to repo-settings.yaml.
+      - actor_id: 2549081
+        actor_type: Integration
+        bypass_mode: always
+    rules:
+      - type: required_status_checks
+        parameters:
+          strict_required_status_checks_policy: true
+          required_status_checks: [] # ← repos add { context, integration_id } entries
+
+  # ---- 4. Review required — 1 reviewer (active by default) ----
+  - name: require-1-review
+    target: branch
+    # enforcement: 'active'    # uncomment to lock this ruleset on in this repo
+    conditions:
+      ref_name:
+        include: ['~DEFAULT_BRANCH']
+        exclude: []
+    bypass_actors:
+      # Repo admins can bypass (always = prompts at push/merge time, not silent exempt).
+      # Repos can add more actors (other teams, integrations).
+      - actor_id: 5
+        actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin
+        bypass_mode: always
+      # automation-nsheaps GitHub App — actor_id is substituted from 2549081
+      # by render-repo-settings when this template is rendered to repo-settings.yaml.
+      - actor_id: 2549081
+        actor_type: Integration
+        bypass_mode: exempt
+    rules:
+      - type: pull_request
+        parameters:
+          required_approving_review_count: 1
+          dismiss_stale_reviews_on_push: true
+          require_last_push_approval: false
+          required_review_thread_resolution: true
+
+    # ---- 5. Review required — 1 reviewer from CODEOWNERS (disabled by default) ----
+    # NOTE: shipped DISABLED. Repos with a meaningful CODEOWNERS file flip to
+    # `enforcement: active` and likely set `require-1-review.enforcement: disabled`
+    # so the two don't double up.
+    enforcement: active
+  - name: require-codeowner-review
+    target: branch
+    enforcement: disabled
+    # enforcement: 'active'    # uncomment (and remove the disabled line above) to enable
+    conditions:
+      ref_name:
+        include: ['~DEFAULT_BRANCH']
+        exclude: []
+    bypass_actors:
+      # Repo admins can bypass (always = prompts at push/merge time, not silent exempt).
+      # Repos can add more actors (other teams, integrations).
+      - actor_id: 5
+        actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin
+        bypass_mode: always
+      # automation-nsheaps GitHub App — actor_id is substituted from 2549081
+      # by render-repo-settings when this template is rendered to repo-settings.yaml.
+      - actor_id: 2549081
+        actor_type: Integration
+        bypass_mode: exempt
+    rules:
+      - type: pull_request
+        parameters:
+          required_approving_review_count: 1
+          require_code_owner_review: true
+          dismiss_stale_reviews_on_push: true
+          required_review_thread_resolution: true