nsheaps · automation-nsheaps · Jun 1, 2026 · Jun 1, 2026
diff --git a/.github/settings.yml b/.github/settings.yml
@@ -0,0 +1,297 @@
+# ----------------------------------------------------------------
+# Auto-merged from nsheaps/.github on every sync.
+#   Source: https://github.com/nsheaps/.github/blob/0196e2385a99a1044673e38119a6b556abe5b955/ansible/config/org-settings.yaml
+# Edits to this file are KEPT on the next sync (deep merge).
+# To remove an org default, delete the key here — it will not come back.
+# ----------------------------------------------------------------
+# ----------------------------------------------------------------
+# Auto-generated from ansible/config/org-settings.yaml. DO NOT EDIT.
+# Edit the template, not this file.
+# Source: https://github.com/nsheaps/.github/blob/0196e2385a99a1044673e38119a6b556abe5b955/ansible/config/org-settings.yaml
+# ----------------------------------------------------------------
+# nsheaps org-wide repository defaults — TEMPLATE
+#
+# This file is the source of truth. It contains ${ENV_VAR} placeholders
+# that get substituted by the sync-org-settings workflow (envsubst),
+# which writes two rendered outputs back to this repo:
+#   - .github/org-settings.yaml      — rendered (no @default hydration)
+#   - .github/default-settings.yaml  — rendered + @default uncommented
+# Edit THIS file for org-wide changes; the rendered outputs are auto-generated.
+#
+# Sync workflow:
+#   https://github.com/nsheaps/.github/blob/main/.github/workflows/sync-org-settings.yaml
+#
+# After rendering, the ansible playbook (sync-org-settings) walks every
+# managed repo and either:
+#   - First-touch (no .github/settings.yml in target) → pushes default-settings.yaml
+#   - Existing target                                 → merges org-settings.yaml in
+#
+# Merger script + tests:
+#   https://github.com/nsheaps/.github/blob/main/scripts/org_settings_merge.py
+#
+# Merge semantics — short version:
+#   - scalars             : target wins (repo's existing value preserved)
+#   - mappings            : recurse
+#   - rulesets[]          : matched by `name`, deep-merged per item
+#   - rulesets[].rules[]  : matched by `type`, deep-merged per item
+#   - bypass_actors[]     : matched by (actor_id, actor_type) — SOURCE wins on scalars
+#   - enforcement omitted : normalized to `active` at write time
+#
+# Do not set per-repo identity (name/description/homepage/topics) here —
+# those belong to each repo.
+#
+# `# @default` convention: lines tagged `# @default` are uncommented ONLY
+# on a repo's FIRST sync (when it has no settings.yml yet). After that the
+# commented source line is invisible to deep-merge, so a later change to
+# the commented value can't accidentally overwrite the repo's value.
+# ----------------------------------------------------------------
+
+# These settings affect the repository itself.
+# See https://docs.github.com/en/rest/repos/repos#update-a-repository
+repository:
+  # NOTE: We deliberately do NOT set `name`, `description`, `homepage`,
+  # or `topics` from the org defaults — those belong to each repo.
+  # Edit them directly in your repo's .github/settings.yml.
+  #
+  # The booleans below are commented with `# @default` — they're set on
+  # this repo's FIRST sync only. After that, your value wins; org changes
+  # to the commented line are invisible to subsequent merges.
+
+  # A short description of the repository that will show up on GitHub
+  # description: ...
+
+  # A URL with more information about the repository
+  # homepage: https://example.github.io/
+
+  # A comma-separated list of topics to set on the repository
+  # topics: ...
+
+  # Either `true` to make the repository private, or `false` to make it public.
+  # NOTE: intentionally not set org-wide — public/private is a per-repo decision.
+  # private: false
+
+  # Either `true` to enable issues for this repository, `false` to disable them.
+  has_issues: true
+
+  # Either `true` to enable projects for this repository, or `false` to disable them.
+  # NOTE: We use org-level projects, not repo-level.
+  has_projects: false
+
+  # Either `true` to enable the wiki for this repository, `false` to disable it.
+  has_wiki: false
+
+  # Either `true` to enable downloads for this repository, `false` to disable them.
+  has_downloads: false
+
+  # Updates the default branch for this repository.
+  default_branch: main
+
+  # Either `true` to allow squash-merging pull requests, or `false` to prevent
+  # squash-merging.
+  allow_squash_merge: true
+
+  # Either `true` to allow merging pull requests with a merge commit, or `false`
+  # to prevent merging pull requests with merge commits.
+  allow_merge_commit: false
+
+  # Either `true` to allow rebase-merging pull requests, or `false` to prevent
+  # rebase-merging.
+  allow_rebase_merge: true
+
+  # Either `true` to enable automatic deletion of branches on merge, or `false`
+  # to disable.
+  delete_branch_on_merge: true
+
+  # Either `true` to allow auto-merge on pull requests, or `false` to disallow.
+  allow_auto_merge: true
+
+  # The default value for a squash merge commit title:
+  #   - PR_TITLE            — default to the pull request's title
+  #   - COMMIT_OR_PR_TITLE  — default to the commit's title (if only one commit)
+  #                           or the pull request's title (when more than one commit)
+  squash_merge_commit_title: PR_TITLE
+
+  # The default value for a squash merge commit message:
+  #   - PR_BODY             — default to the pull request's body
+  #   - COMMIT_MESSAGES     — default to the branch's commit messages
+  #   - BLANK               — default to a blank commit message
+  squash_merge_commit_message: PR_BODY
+
+# Labels: managed centrally via .github/labels.yaml + sync-labels workflow.
+# Intentionally omitted here so the two sources don't fight.
+
+# Rulesets — repository-level branch/tag rulesets.
+# Docs: https://github.com/repository-settings/app/blob/master/docs/plugins/rulesets.md
+# API : https://docs.github.com/en/rest/repos/rules
+#
+# enforcement values:
+#   - active    : rules are enforced
+#   - disabled  : ruleset exists but is not enforced (dormant)
+#   - evaluate  : rules are checked and reported but not enforced (preview)
+# NOTE: If `enforcement` is omitted on a ruleset, the sync writer fills it
+# with `active`. Each ruleset below either:
+#   - sets `enforcement: active` (always-on org policy — overriding is discouraged), or
+#   - sets `enforcement: disabled` plus a commented `# enforcement: 'active'`
+#     sibling that a repo can uncomment (and delete the disabled line) to enable, or
+#   - omits `enforcement` and provides a commented `# enforcement: 'active'`
+#     hint that a repo can uncomment to lock the ruleset on explicitly.
+#
+# bypass_actors[].bypass_mode values:
+#   - always       : prompts the user to bypass at push/merge time (GitHub UI default)
+#   - pull_request : bypass only allowed via a PR (push-time bypass blocked)
+# NOTE: omitting bypass_mode lets the merger fill `always`.
+#
+# Every ruleset seeds repo admins (RepositoryRole id 5) as bypass actors so
+# the org doesn't lock admins out. Repos can append more bypass_actors; for
+# the admin entry itself, source-wins (you can't silently widen admin bypass
+# to `always` if the org set `pull_request`).
+rulesets:
+  # ---- 1. No delete / no force-push on the default branch ----
+  - name: protect-default-branch
+    target: branch
+    enforcement: active # always enforced — overriding this is discouraged
+    conditions:
+      ref_name:
+        include:
+          - '~DEFAULT_BRANCH' # special selector: whatever the default branch is
+        exclude: []
+    bypass_actors:
+      # Repo admins can bypass (always = prompts at push/merge time, not silent exempt).
+      # Repos can add more actors (other teams, integrations).
+      - actor_id: 5
+        actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin
+        bypass_mode: always
+      # automation-nsheaps GitHub App — actor_id is substituted from 2549081
+      # by sync-org-settings when this template is rendered to org-settings.yaml.
+      - actor_id: 2549081
+        actor_type: Integration
+        bypass_mode: always
+    rules:
+      - type: deletion # block branch deletion
+      - type: non_fast_forward # block force-push
+
+  # ---- 2. PR required (0 reviews) ----
+  - name: require-pr
+    target: branch
+    enforcement: 'active' # uncomment to lock this ruleset on in this repo
+    conditions:
+      ref_name:
+        include: ['~DEFAULT_BRANCH']
+        exclude: []
+    bypass_actors:
+      # Repo admins can bypass (always = prompts at push/merge time, not silent exempt).
+      # Repos can add more actors (other teams, integrations).
+      - actor_id: 5
+        actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin
+        bypass_mode: always
+      # automation-nsheaps GitHub App — actor_id is substituted from 2549081
+      # by sync-org-settings when this template is rendered to org-settings.yaml.
+      - actor_id: 2549081
+        actor_type: Integration
+        bypass_mode: exempt
+    rules:
+      - type: pull_request
+        # parameters:
+        # Possible additional parameters (commented for repos to opt in)
+        # required_approving_review_count: 1
+        # dismiss_stale_reviews_on_push: false
+        # require_code_owner_review: false
+        # require_last_push_approval: false
+        # required_review_thread_resolution: false
+        # allowed_merge_methods: [merge, squash, rebase]
+
+  # ---- 3. Review required — 1 reviewer (active by default) ----
+  - name: require-1-review
+    target: branch
+    enforcement: disabled
+    # enforcement: 'active'
+    conditions:
+      ref_name:
+        include: ['~DEFAULT_BRANCH']
+        exclude: []
+    bypass_actors:
+      # Repo admins can bypass (always = prompts at push/merge time, not silent exempt).
+      # Repos can add more actors (other teams, integrations).
+      - actor_id: 5
+        actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin
+        bypass_mode: always
+      # automation-nsheaps GitHub App — actor_id is substituted from 2549081
+      # by sync-org-settings when this template is rendered to org-settings.yaml.
+      - actor_id: 2549081
+        actor_type: Integration
+        bypass_mode: exempt
+    rules:
+      - type: pull_request
+        parameters:
+          required_approving_review_count: 1
+
+  # ---- 4. Checks required ----
+  # NOTE: shipped ACTIVE. The required_status_checks list seeds an org-wide
+  # lint check (GitHub Actions App, context "lint") so every managed repo
+  # gates merges on a workflow named `lint`. Repos that don't yet have one
+  # should add `.github/workflows/lint.yaml` (or have it synced in via
+  # sync-files); per-repo additional checks go in this same list.
+  # GitHub App IDs in `integration_id`:
+  #   15368   = github-actions[bot] (workflows running on GitHub Actions)
+  # This is commented because not every repo has a lint workflow but they should
+  # When this is copied, so is the comment, and they can then uncomment as needed.
+  # In the long term, we should try to keep build/test/format/lint consistent between all repos
+  # - name: require-checks
+  #   target: branch
+  #   enforcement: active
+  #   conditions:
+  #     ref_name:
+  #       include: ["~DEFAULT_BRANCH"]
+  #       exclude: []
+  #   bypass_actors:
+  #     # Repo admins can bypass (always = prompts at push/merge time, not silent exempt).
+  #     # Repos can add more actors (other teams, integrations).
+  #     - actor_id: 5
+  #       actor_type: RepositoryRole   # 1=read 2=triage 3=write 4=maintain 5=admin
+  #       bypass_mode: always
+  #     # automation-nsheaps GitHub App — actor_id is substituted from 2549081
+  #     # by sync-org-settings when this template is rendered to org-settings.yaml.
+  #     - actor_id: 2549081
+  #       actor_type: Integration
+  #       bypass_mode: always
+  #   rules:
+  #     - type: required_status_checks
+  #       parameters:
+  #         strict_required_status_checks_policy: false
+  #         required_status_checks:
+  #           # Org-wide: a workflow named `lint` must pass. Repos that don't
+  #           # have one yet should add .github/workflows/lint.yaml (or sync the
+  #           # canonical one in). Repos add more entries below for their own CI.
+  #           - context: lint
+  #             integration_id: 15368   # github-actions[bot]
+
+  # ---- 5. Review required — 1 reviewer from CODEOWNERS (disabled by default) ----
+  # NOTE: shipped DISABLED. Repos with a meaningful CODEOWNERS file flip to
+  # `enforcement: active` and likely set `require-1-review.enforcement: disabled`
+  # so the two don't double up.
+  - name: require-codeowner-review
+    target: branch
+    enforcement: disabled
+    # enforcement: 'active'    # uncomment (and remove the disabled line above) to enable
+    conditions:
+      ref_name:
+        include: ['~DEFAULT_BRANCH']
+        exclude: []
+    bypass_actors:
+      # Repo admins can bypass (always = prompts at push/merge time, not silent exempt).
+      # Repos can add more actors (other teams, integrations).
+      - actor_id: 5
+        actor_type: RepositoryRole # 1=read 2=triage 3=write 4=maintain 5=admin
+        bypass_mode: always
+      # automation-nsheaps GitHub App — actor_id is substituted from 2549081
+      # by sync-org-settings when this template is rendered to org-settings.yaml.
+      - actor_id: 2549081
+        actor_type: Integration
+        bypass_mode: exempt
+    rules:
+      - type: pull_request
+        parameters:
+          required_approving_review_count: 1
+          require_code_owner_review: true
+          dismiss_stale_reviews_on_push: true
+          required_review_thread_resolution: true