Skip to content

Add GitHub's Safe-Settings app to manage policy as code #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
paddyroddy wants to merge 3 commits into from
Closed

Add GitHub's Safe-Settings app to manage policy as code #4

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
889cc0e
Add Safe-Settings app to manage policy as code
paddyroddy Jan 6, 2025
e8ad820
New line
paddyroddy Jan 6, 2025
662a6da
Point to MIRSG repo
paddyroddy Jan 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 66 additions & 0 deletions .github/workflows/safe-settings.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
---
name: Safe Settings Sync
on:
push:
branches:
- main
pull_request:
paths:
- safe-settings/**
- .github/workflows/safe-settings.yaml
schedule:
- cron: 0 */4 * * *
workflow_dispatch: {}

concurrency:
cancel-in-progress: true
group: >-
${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

jobs:
safe-settings-sync:
runs-on: ubuntu-latest
env:
SAFE_SETTINGS_VERSION: 2.1.14
SAFE_SETTINGS_CODE_DIR: .safe-settings-code
steps:
- name: Checkout source
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

- name: Checkout GitHub Safe-Settings repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
path: ${{ env.SAFE_SETTINGS_CODE_DIR }}
ref: ${{ env.SAFE_SETTINGS_VERSION }}
repository: github/safe-settings

- name: Setup Node.js
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4
with:
cache-dependency-path:
${{ env.SAFE_SETTINGS_CODE_DIR }}/package-lock.json
cache: npm
node-version-file: ${{ env.SAFE_SETTINGS_CODE_DIR }}/.nvmrc

- name: Install dependencies
run: npm install
working-directory: ${{ env.SAFE_SETTINGS_CODE_DIR }}

- name: Run application
run: npm run full-sync
working-directory: ${{ env.SAFE_SETTINGS_CODE_DIR }}
env:
ADMIN_REPO: .github
APP_ID: ${{ vars.SAFE_SETTINGS_APP_ID }}
BLOCK_REPO_RENAME_BY_HUMAN: false
CONFIG_PATH: safe-settings
DEPLOYMENT_CONFIG_FILE:
${{ github.workspace }}/safe-settings/deployment.yaml
ENABLE_PR_COMMENT: true
GH_ORG: ${{ vars.SAFE_SETTINGS_GH_ORG }}
GITHUB_CLIENT_ID: ${{ vars.SAFE_SETTINGS_GITHUB_CLIENT_ID }}
GITHUB_CLIENT_SECRET:
${{ secrets.SAFE_SETTINGS_GITHUB_CLIENT_SECRET }}
LOG_LEVEL: trace
PRIVATE_KEY: ${{ secrets.SAFE_SETTINGS_PRIVATE_KEY }}
SETTINGS_FILE_PATH: organisation.yaml
18 changes: 18 additions & 0 deletions .renovaterc.json5
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{
$schema: "https://docs.renovatebot.com/renovate-schema.json",
extends: [
"github>UCL-ARC/.github//renovate/default-config.json",
":assignAndReview(paddyroddy)",
":automergeAll",
],
customManagers: [
{
customType: "regex",
description: "Update GitHub Safe-Settings version",
fileMatch: [".github/workflows/safe-settings.yaml$"],
matchStrings: ["SAFE_SETTINGS_VERSION:\\s(?<currentValue>.*)"],
depNameTemplate: "github/safe-settings",
datasourceTemplate: "github-releases",
},
],
}
60 changes: 60 additions & 0 deletions safe-settings/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
# Safe-Settings
Comment thread
paddyroddy marked this conversation as resolved.

[Safe-Settings](https://github.com/github/safe-settings) is a way to manage
policy-as-code and apply repository settings across the organisation. A
[GitHub App](https://github.com/apps/rits-safe-settings) has been set up which
the [GitHub Action](../.github/workflows/safe-settings.yaml) uses to apply the
settings on a cron schedule. The settings here are a reduced set used in the
[https://github.com/UCL-MIRSG/.github repository](https://github.com/UCL-MIRSG/.github/tree/main/safe-settings).

## Configuration Files

There are four types of settings that can be applied:

- [Deployment](https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/sample-deployment-settings.yml)
which defines deployment and runtime settings.
- [Organisation](https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/settings.yml)
which can be used to define org-level settings.
- [Repository](https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/repo.yml)
which can be used to define repo-level settings.
- [Suborganisation](https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/suborg.yml)
which can be used to define suborganisation-level settings.

Beyond these example configurations one can read more about potential settings
to apply in the
[documentation](https://github.com/github/safe-settings/tree/main-enterprise/docs/github-settings).
The precedence order for configuration is `repository` > `suborganisation` >
`organisation`.

## The Settings in This Repository

### Deployment

The [deployment settings](deployment.yaml) are used to exclude archived
repositories from the Safe-Settings app. This is because these repositories are
read-only and hence cannot be modified. Rather than having the GitHub Action
fail on these repositories, they are excluded from the run.

### Organisation

The [organisation settings](organisation.yaml) are used to define general
repository settings for all repositories across the organisation. These settings
are applied to all repositories unless the precedence order is overridden by the
suborganisation settings (or repository settings).

### Suborganisation

The [suborganisation settings](suborgs/rulesets.yaml) are being used to define
[rulesets](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets)
for all repositories across the organisation. The `rulesets` available in the
organisation settings are defined for the organisation itself rather than
individual repositories, so they cannot be set via organisation settings. This
hack is done through

```yaml
suborgrepos:
- "*"
```

at the top of the file. Further explanation can be found in the
[Safe-Settings issues](https://github.com/github/safe-settings/issues/553#issuecomment-2552578978).
132 changes: 132 additions & 0 deletions safe-settings/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,132 @@
# https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/sample-deployment-settings.yml
---
restrictedRepos:
# these repos are all archived and will cause the GHA to fail
# https://github.com/github/safe-settings/issues/443
Comment thread
paddyroddy marked this conversation as resolved.
exclude:
- ^2014-11-06-ucl$
- ^2015-11-10-UCL_software_carpentry$
- ^2016-02-17-UCL_software_carpentry$
- ^2016-06-22-UCL_software_carpentry$
- ^2016-09-22-UCL_software_carpentry$
- ^2016-12-13-UCL_software_carpentry$
- ^2017-04-27-UCL_software_carpentry$
- ^2017-07-25-UCL_software_carpentry$
- ^2017-09-25-UCL_software_carpentry$
- ^2017-10-31-UCL_software_carpentry$
- ^2017-12-14-UCL_software_carpentry$
- ^2018-04-25-UCL_software_carpentry$
- ^2018-06-26-UCL_software_carpentry$
- ^2018-08-28-UCL_software_carpentry$
- ^2018-09-26-UCL_software_carpentry$
- ^2018-11-07-UCL_software_carpentry$
- ^2019-04-08-UCL_software_carpentry$
- ^2019-07-15-UCL_software_carpentry$
- ^2019-09-25-UCL_software_carpentry$
- ^2019-11-04-UCL_software_carpentry$
- ^2020-02-18_UCL_software_carpentry$
- ^2020-07-27-UCL_hpc_carpentry$
- ^2020-09-30_UCL_software_carpentry$
- ^2020-11-25-rslondon$
- ^2021-03-09_UCL_software_carpentry$
- ^2021-05-17-UCL_hpc_carpentry$
- ^2021-07-19-UCL-software-carpentry-online$
- ^2021-09-29-ucl-online$
- ^2021-11-22-UCL-HPCCarpentry-online$
- ^2023-02-13-swc-ucl$
- ^201711_ciHPC$
- ^A-Team-Roadmap-2017-notes$
- ^bash-give$
- ^bempp-clientapp$
- ^bempp-marketplace$
- ^BinaryBlobs-dependencies$
- ^black-garlic$
- ^CAF_play$
- ^ci-helpers$
- ^clinician-carpentry-python$
- ^CloudLabs$
- ^ClusterStats-Gold$
- ^CMakeCatchMPI$
- ^COVID-19-website$
- ^CSB-structural-bio-tools$
- ^DashPykpi$
- ^data-classification$
- ^DeCon-Export$
- ^DECOVID-projectmgmt$
- ^django-shibboleth-remoteuser$
- ^doctoral-programming-intro$
- ^emerald_play$
- ^exams$
- ^ExCALIBUR-HES$
- ^friend-group-2020$
- ^GeographyTraining$
- ^getcwd-autoretry-preload$
- ^GFR-calculator$
- ^gh-action-docker$
- ^gitter-test$
- ^gitworkshop$
- ^go-ldap$
- ^Gold$
- ^GridEngine-OpenSSH$
- ^hello_ci$
- ^hemelb$
- ^homebrew-rsdt$
- ^homebrew-science$
- ^HPC-Acceptance-Tests$
- ^icu-dashboard$
- ^indigo-dexy$
- ^indigo_django$
- ^intro-research-prog$
- ^intro-to-shell$
- ^ipls-workshop$
- ^iwos$
- ^jekyll-idio$
- ^jenkins-hpc-scheduler$
- ^jenkins-job-builder-files$
- ^keyscan$
- ^Legion-Fabric-Scaffold$
- ^licenselogparse$
- ^marking_tool$
- ^MMMHub-SAFE$
- ^MPHYG_Exams$
- ^OnlineCourses$
- ^oracc-corpus$
- ^Packaging$
- ^parkingSpace$
- ^PHAS0100_Caching$
- ^PHAS0100_Optimisation$
- ^PHAS0100_Profiling$
- ^PHAS0100_Sorting$
- ^puppeteer-rampart-screenshot$
- ^rc-docs$
- ^rc_puppet$
- ^rcps-intro-training-materials-beamer$
- ^rcps-singularity-recipes$
- ^research-computing-with-cpp-demo$
- ^research-se-python$
- ^research-software-teaching$
- ^rhel6-install$
- ^rhel7-ldap-nfs$
- ^rits-reporting$
- ^RSD-Dashboard-puppet-module$
- ^RSD-Infrastructure$
- ^rsd-rag$
- ^rsd-sagital_average$
- ^rsd-web-resources$
- ^rsd_puppet$
- ^rsdg-ci-reboot$
- ^RSDG_HPC$
- ^rse-classwork-2020$
- ^sge-to-icinga$
- ^sopt$
- ^spack4jenkins$
- ^spack_packages$
- ^SpringDatabaseMultiplexing$
- ^tailoredrcstats$
- ^test-pages-custom$
- ^travis_example$
- ^ucl-gtr$
- ^ucl-rits.github.io$
- ^ucl_reprohack_2020$
- ^UsefulModuleFunctions$
- ^vetii$
6 changes: 6 additions & 0 deletions safe-settings/organisation.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/settings.yml
---
repository:
allow_auto_merge: true
allow_update_branch: true
Copy link
Copy Markdown
Collaborator

@samcunliffe samcunliffe Jan 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we switch this to false and block all pushes to all branches?!

Copy link
Copy Markdown
Member Author

@paddyroddy paddyroddy Jan 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is something to discuss in the meeting I proposed. These are not meant to be the be-all and end-all settings.

delete_branch_on_merge: true
19 changes: 19 additions & 0 deletions safe-settings/suborgs/rulesets.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/suborg.yml
Copy link
Copy Markdown
Member Author

@paddyroddy paddyroddy Jan 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The downside of the app is things are mutually exclusive. If we are to enable this, it would disable any current rulesets. I've left it here for demonstration purposes.

# ---
# suborgrepos:
# - "*"

# rulesets:
# - name: Default
# target: branch
# enforcement: active

# conditions:
# ref_name:
# include:
# - ~DEFAULT_BRANCH
# exclude: []

# rules:
# - type: deletion
# - type: non_fast_forward # prevents force pushes