UCL-RITS · paddyroddy · Jan 6, 2025 · Jan 6, 2025 · Jan 7, 2025 · samcunliffe
diff --git a/.github/workflows/safe-settings.yaml b/.github/workflows/safe-settings.yaml
@@ -0,0 +1,66 @@
+---
+name: Safe Settings Sync
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    paths:
+      - safe-settings/**
+      - .github/workflows/safe-settings.yaml
+  schedule:
+    - cron: 0 */4 * * *
+  workflow_dispatch: {}
+
+concurrency:
+  cancel-in-progress: true
+  group: >-
+    ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+
+jobs:
+  safe-settings-sync:
+    runs-on: ubuntu-latest
+    env:
+      SAFE_SETTINGS_VERSION: 2.1.14
+      SAFE_SETTINGS_CODE_DIR: .safe-settings-code
+    steps:
+      - name: Checkout source
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Checkout GitHub Safe-Settings repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          path: ${{ env.SAFE_SETTINGS_CODE_DIR }}
+          ref: ${{ env.SAFE_SETTINGS_VERSION }}
+          repository: github/safe-settings
+
+      - name: Setup Node.js
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4
+        with:
+          cache-dependency-path:
+            ${{ env.SAFE_SETTINGS_CODE_DIR }}/package-lock.json
+          cache: npm
+          node-version-file: ${{ env.SAFE_SETTINGS_CODE_DIR }}/.nvmrc
+
+      - name: Install dependencies
+        run: npm install
+        working-directory: ${{ env.SAFE_SETTINGS_CODE_DIR }}
+
+      - name: Run application
+        run: npm run full-sync
+        working-directory: ${{ env.SAFE_SETTINGS_CODE_DIR }}
+        env:
+          ADMIN_REPO: .github
+          APP_ID: ${{ vars.SAFE_SETTINGS_APP_ID }}
+          BLOCK_REPO_RENAME_BY_HUMAN: false
+          CONFIG_PATH: safe-settings
+          DEPLOYMENT_CONFIG_FILE:
+            ${{ github.workspace }}/safe-settings/deployment.yaml
+          ENABLE_PR_COMMENT: true
+          GH_ORG: ${{ vars.SAFE_SETTINGS_GH_ORG }}
+          GITHUB_CLIENT_ID: ${{ vars.SAFE_SETTINGS_GITHUB_CLIENT_ID }}
+          GITHUB_CLIENT_SECRET:
+            ${{ secrets.SAFE_SETTINGS_GITHUB_CLIENT_SECRET }}
+          LOG_LEVEL: trace
+          PRIVATE_KEY: ${{ secrets.SAFE_SETTINGS_PRIVATE_KEY }}
+          SETTINGS_FILE_PATH: organisation.yaml
diff --git a/.renovaterc.json5 b/.renovaterc.json5
@@ -0,0 +1,18 @@
+{
+  $schema: "https://docs.renovatebot.com/renovate-schema.json",
+  extends: [
+    "github>UCL-ARC/.github//renovate/default-config.json",
+    ":assignAndReview(paddyroddy)",
+    ":automergeAll",
+  ],
+    customManagers: [
+    {
+      customType: "regex",
+      description: "Update GitHub Safe-Settings version",
+      fileMatch: [".github/workflows/safe-settings.yaml$"],
+      matchStrings: ["SAFE_SETTINGS_VERSION:\\s(?<currentValue>.*)"],
+      depNameTemplate: "github/safe-settings",
+      datasourceTemplate: "github-releases",
+    },
+  ],
+}
diff --git a/safe-settings/README.md b/safe-settings/README.md
@@ -0,0 +1,4 @@
+# Safe-Settings
+
+See instructions on the [UCL-MIRSG
+repository](https://github.com/UCL-MIRSG/.github/blob/main/safe-settings/README.md).
diff --git a/safe-settings/deployment.yaml b/safe-settings/deployment.yaml
@@ -0,0 +1,132 @@
+# https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/sample-deployment-settings.yml
+---
+restrictedRepos:
+  # these repos are all archived and will cause the GHA to fail
+  # https://github.com/github/safe-settings/issues/443
+  exclude:
+  - ^2014-11-06-ucl$
+  - ^2015-11-10-UCL_software_carpentry$
+  - ^2016-02-17-UCL_software_carpentry$
+  - ^2016-06-22-UCL_software_carpentry$
+  - ^2016-09-22-UCL_software_carpentry$
+  - ^2016-12-13-UCL_software_carpentry$
+  - ^2017-04-27-UCL_software_carpentry$
+  - ^2017-07-25-UCL_software_carpentry$
+  - ^2017-09-25-UCL_software_carpentry$
+  - ^2017-10-31-UCL_software_carpentry$
+  - ^2017-12-14-UCL_software_carpentry$
+  - ^2018-04-25-UCL_software_carpentry$
+  - ^2018-06-26-UCL_software_carpentry$
+  - ^2018-08-28-UCL_software_carpentry$
+  - ^2018-09-26-UCL_software_carpentry$
+  - ^2018-11-07-UCL_software_carpentry$
+  - ^2019-04-08-UCL_software_carpentry$
+  - ^2019-07-15-UCL_software_carpentry$
+  - ^2019-09-25-UCL_software_carpentry$
+  - ^2019-11-04-UCL_software_carpentry$
+  - ^2020-02-18_UCL_software_carpentry$
+  - ^2020-07-27-UCL_hpc_carpentry$
+  - ^2020-09-30_UCL_software_carpentry$
+  - ^2020-11-25-rslondon$
+  - ^2021-03-09_UCL_software_carpentry$
+  - ^2021-05-17-UCL_hpc_carpentry$
+  - ^2021-07-19-UCL-software-carpentry-online$
+  - ^2021-09-29-ucl-online$
+  - ^2021-11-22-UCL-HPCCarpentry-online$
+  - ^2023-02-13-swc-ucl$
+  - ^201711_ciHPC$
+  - ^A-Team-Roadmap-2017-notes$
+  - ^bash-give$
+  - ^bempp-clientapp$
+  - ^bempp-marketplace$
+  - ^BinaryBlobs-dependencies$
+  - ^black-garlic$
+  - ^CAF_play$
+  - ^ci-helpers$
+  - ^clinician-carpentry-python$
+  - ^CloudLabs$
+  - ^ClusterStats-Gold$
+  - ^CMakeCatchMPI$
+  - ^COVID-19-website$
+  - ^CSB-structural-bio-tools$
+  - ^DashPykpi$
+  - ^data-classification$
+  - ^DeCon-Export$
+  - ^DECOVID-projectmgmt$
+  - ^django-shibboleth-remoteuser$
+  - ^doctoral-programming-intro$
+  - ^emerald_play$
+  - ^exams$
+  - ^ExCALIBUR-HES$
+  - ^friend-group-2020$
+  - ^GeographyTraining$
+  - ^getcwd-autoretry-preload$
+  - ^GFR-calculator$
+  - ^gh-action-docker$
+  - ^gitter-test$
+  - ^gitworkshop$
+  - ^go-ldap$
+  - ^Gold$
+  - ^GridEngine-OpenSSH$
+  - ^hello_ci$
+  - ^hemelb$
+  - ^homebrew-rsdt$
+  - ^homebrew-science$
+  - ^HPC-Acceptance-Tests$
+  - ^icu-dashboard$
+  - ^indigo-dexy$
+  - ^indigo_django$
+  - ^intro-research-prog$
+  - ^intro-to-shell$
+  - ^ipls-workshop$
+  - ^iwos$
+  - ^jekyll-idio$
+  - ^jenkins-hpc-scheduler$
+  - ^jenkins-job-builder-files$
+  - ^keyscan$
+  - ^Legion-Fabric-Scaffold$
+  - ^licenselogparse$
+  - ^marking_tool$
+  - ^MMMHub-SAFE$
+  - ^MPHYG_Exams$
+  - ^OnlineCourses$
+  - ^oracc-corpus$
+  - ^Packaging$
+  - ^parkingSpace$
+  - ^PHAS0100_Caching$
+  - ^PHAS0100_Optimisation$
+  - ^PHAS0100_Profiling$
+  - ^PHAS0100_Sorting$
+  - ^puppeteer-rampart-screenshot$
+  - ^rc-docs$
+  - ^rc_puppet$
+  - ^rcps-intro-training-materials-beamer$
+  - ^rcps-singularity-recipes$
+  - ^research-computing-with-cpp-demo$
+  - ^research-se-python$
+  - ^research-software-teaching$
+  - ^rhel6-install$
+  - ^rhel7-ldap-nfs$
+  - ^rits-reporting$
+  - ^RSD-Dashboard-puppet-module$
+  - ^RSD-Infrastructure$
+  - ^rsd-rag$
+  - ^rsd-sagital_average$
+  - ^rsd-web-resources$
+  - ^rsd_puppet$
+  - ^rsdg-ci-reboot$
+  - ^RSDG_HPC$
+  - ^rse-classwork-2020$
+  - ^sge-to-icinga$
+  - ^sopt$
+  - ^spack4jenkins$
+  - ^spack_packages$
+  - ^SpringDatabaseMultiplexing$
+  - ^tailoredrcstats$
+  - ^test-pages-custom$
+  - ^travis_example$
+  - ^ucl-gtr$
+  - ^ucl-rits.github.io$
+  - ^ucl_reprohack_2020$
+  - ^UsefulModuleFunctions$
+  - ^vetii$
diff --git a/safe-settings/organisation.yaml b/safe-settings/organisation.yaml
@@ -0,0 +1,6 @@
+# https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/settings.yml
+---
+repository:
+  allow_auto_merge: true
+  allow_update_branch: true
+  delete_branch_on_merge: true
diff --git a/safe-settings/suborgs/rulesets.yaml b/safe-settings/suborgs/rulesets.yaml
@@ -0,0 +1,19 @@
+# https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/suborg.yml
+# ---
+# suborgrepos:
+#   - "*"
+
+# rulesets:
+#   - name: Default
+#     target: branch
+#     enforcement: active
+
+#     conditions:
+#       ref_name:
+#         include:
+#           - ~DEFAULT_BRANCH
+#         exclude: []
+
+#     rules:
+#       - type: deletion
+#       - type: non_fast_forward # prevents force pushes