diff --git a/.github/workflows/safe-settings.yaml b/.github/workflows/safe-settings.yaml new file mode 100644 index 0000000..3455ec5 --- /dev/null +++ b/.github/workflows/safe-settings.yaml @@ -0,0 +1,66 @@ +--- +name: Safe Settings Sync +on: + push: + branches: + - main + pull_request: + paths: + - safe-settings/** + - .github/workflows/safe-settings.yaml + schedule: + - cron: 0 */4 * * * + workflow_dispatch: {} + +concurrency: + cancel-in-progress: true + group: >- + ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + +jobs: + safe-settings-sync: + runs-on: ubuntu-latest + env: + SAFE_SETTINGS_VERSION: 2.1.14 + SAFE_SETTINGS_CODE_DIR: .safe-settings-code + steps: + - name: Checkout source + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + + - name: Checkout GitHub Safe-Settings repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + path: ${{ env.SAFE_SETTINGS_CODE_DIR }} + ref: ${{ env.SAFE_SETTINGS_VERSION }} + repository: github/safe-settings + + - name: Setup Node.js + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4 + with: + cache-dependency-path: + ${{ env.SAFE_SETTINGS_CODE_DIR }}/package-lock.json + cache: npm + node-version-file: ${{ env.SAFE_SETTINGS_CODE_DIR }}/.nvmrc + + - name: Install dependencies + run: npm install + working-directory: ${{ env.SAFE_SETTINGS_CODE_DIR }} + + - name: Run application + run: npm run full-sync + working-directory: ${{ env.SAFE_SETTINGS_CODE_DIR }} + env: + ADMIN_REPO: .github + APP_ID: ${{ vars.SAFE_SETTINGS_APP_ID }} + BLOCK_REPO_RENAME_BY_HUMAN: false + CONFIG_PATH: safe-settings + DEPLOYMENT_CONFIG_FILE: + ${{ github.workspace }}/safe-settings/deployment.yaml + ENABLE_PR_COMMENT: true + GH_ORG: ${{ vars.SAFE_SETTINGS_GH_ORG }} + GITHUB_CLIENT_ID: ${{ vars.SAFE_SETTINGS_GITHUB_CLIENT_ID }} + GITHUB_CLIENT_SECRET: + ${{ secrets.SAFE_SETTINGS_GITHUB_CLIENT_SECRET }} + LOG_LEVEL: trace + PRIVATE_KEY: ${{ secrets.SAFE_SETTINGS_PRIVATE_KEY }} + SETTINGS_FILE_PATH: organisation.yaml diff --git a/.renovaterc.json5 b/.renovaterc.json5 new file mode 100644 index 0000000..f34742b --- /dev/null +++ b/.renovaterc.json5 @@ -0,0 +1,18 @@ +{ + $schema: "https://docs.renovatebot.com/renovate-schema.json", + extends: [ + "github>UCL-ARC/.github//renovate/default-config.json", + ":assignAndReview(paddyroddy)", + ":automergeAll", + ], + customManagers: [ + { + customType: "regex", + description: "Update GitHub Safe-Settings version", + fileMatch: [".github/workflows/safe-settings.yaml$"], + matchStrings: ["SAFE_SETTINGS_VERSION:\\s(?.*)"], + depNameTemplate: "github/safe-settings", + datasourceTemplate: "github-releases", + }, + ], +} diff --git a/safe-settings/README.md b/safe-settings/README.md new file mode 100644 index 0000000..bfdec86 --- /dev/null +++ b/safe-settings/README.md @@ -0,0 +1,4 @@ +# Safe-Settings + +See instructions on the [UCL-MIRSG +repository](https://github.com/UCL-MIRSG/.github/blob/main/safe-settings/README.md). diff --git a/safe-settings/deployment.yaml b/safe-settings/deployment.yaml new file mode 100644 index 0000000..3045949 --- /dev/null +++ b/safe-settings/deployment.yaml @@ -0,0 +1,132 @@ +# https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/sample-deployment-settings.yml +--- +restrictedRepos: + # these repos are all archived and will cause the GHA to fail + # https://github.com/github/safe-settings/issues/443 + exclude: + - ^2014-11-06-ucl$ + - ^2015-11-10-UCL_software_carpentry$ + - ^2016-02-17-UCL_software_carpentry$ + - ^2016-06-22-UCL_software_carpentry$ + - ^2016-09-22-UCL_software_carpentry$ + - ^2016-12-13-UCL_software_carpentry$ + - ^2017-04-27-UCL_software_carpentry$ + - ^2017-07-25-UCL_software_carpentry$ + - ^2017-09-25-UCL_software_carpentry$ + - ^2017-10-31-UCL_software_carpentry$ + - ^2017-12-14-UCL_software_carpentry$ + - ^2018-04-25-UCL_software_carpentry$ + - ^2018-06-26-UCL_software_carpentry$ + - ^2018-08-28-UCL_software_carpentry$ + - ^2018-09-26-UCL_software_carpentry$ + - ^2018-11-07-UCL_software_carpentry$ + - ^2019-04-08-UCL_software_carpentry$ + - ^2019-07-15-UCL_software_carpentry$ + - ^2019-09-25-UCL_software_carpentry$ + - ^2019-11-04-UCL_software_carpentry$ + - ^2020-02-18_UCL_software_carpentry$ + - ^2020-07-27-UCL_hpc_carpentry$ + - ^2020-09-30_UCL_software_carpentry$ + - ^2020-11-25-rslondon$ + - ^2021-03-09_UCL_software_carpentry$ + - ^2021-05-17-UCL_hpc_carpentry$ + - ^2021-07-19-UCL-software-carpentry-online$ + - ^2021-09-29-ucl-online$ + - ^2021-11-22-UCL-HPCCarpentry-online$ + - ^2023-02-13-swc-ucl$ + - ^201711_ciHPC$ + - ^A-Team-Roadmap-2017-notes$ + - ^bash-give$ + - ^bempp-clientapp$ + - ^bempp-marketplace$ + - ^BinaryBlobs-dependencies$ + - ^black-garlic$ + - ^CAF_play$ + - ^ci-helpers$ + - ^clinician-carpentry-python$ + - ^CloudLabs$ + - ^ClusterStats-Gold$ + - ^CMakeCatchMPI$ + - ^COVID-19-website$ + - ^CSB-structural-bio-tools$ + - ^DashPykpi$ + - ^data-classification$ + - ^DeCon-Export$ + - ^DECOVID-projectmgmt$ + - ^django-shibboleth-remoteuser$ + - ^doctoral-programming-intro$ + - ^emerald_play$ + - ^exams$ + - ^ExCALIBUR-HES$ + - ^friend-group-2020$ + - ^GeographyTraining$ + - ^getcwd-autoretry-preload$ + - ^GFR-calculator$ + - ^gh-action-docker$ + - ^gitter-test$ + - ^gitworkshop$ + - ^go-ldap$ + - ^Gold$ + - ^GridEngine-OpenSSH$ + - ^hello_ci$ + - ^hemelb$ + - ^homebrew-rsdt$ + - ^homebrew-science$ + - ^HPC-Acceptance-Tests$ + - ^icu-dashboard$ + - ^indigo-dexy$ + - ^indigo_django$ + - ^intro-research-prog$ + - ^intro-to-shell$ + - ^ipls-workshop$ + - ^iwos$ + - ^jekyll-idio$ + - ^jenkins-hpc-scheduler$ + - ^jenkins-job-builder-files$ + - ^keyscan$ + - ^Legion-Fabric-Scaffold$ + - ^licenselogparse$ + - ^marking_tool$ + - ^MMMHub-SAFE$ + - ^MPHYG_Exams$ + - ^OnlineCourses$ + - ^oracc-corpus$ + - ^Packaging$ + - ^parkingSpace$ + - ^PHAS0100_Caching$ + - ^PHAS0100_Optimisation$ + - ^PHAS0100_Profiling$ + - ^PHAS0100_Sorting$ + - ^puppeteer-rampart-screenshot$ + - ^rc-docs$ + - ^rc_puppet$ + - ^rcps-intro-training-materials-beamer$ + - ^rcps-singularity-recipes$ + - ^research-computing-with-cpp-demo$ + - ^research-se-python$ + - ^research-software-teaching$ + - ^rhel6-install$ + - ^rhel7-ldap-nfs$ + - ^rits-reporting$ + - ^RSD-Dashboard-puppet-module$ + - ^RSD-Infrastructure$ + - ^rsd-rag$ + - ^rsd-sagital_average$ + - ^rsd-web-resources$ + - ^rsd_puppet$ + - ^rsdg-ci-reboot$ + - ^RSDG_HPC$ + - ^rse-classwork-2020$ + - ^sge-to-icinga$ + - ^sopt$ + - ^spack4jenkins$ + - ^spack_packages$ + - ^SpringDatabaseMultiplexing$ + - ^tailoredrcstats$ + - ^test-pages-custom$ + - ^travis_example$ + - ^ucl-gtr$ + - ^ucl-rits.github.io$ + - ^ucl_reprohack_2020$ + - ^UsefulModuleFunctions$ + - ^vetii$ diff --git a/safe-settings/organisation.yaml b/safe-settings/organisation.yaml new file mode 100644 index 0000000..8f71ea7 --- /dev/null +++ b/safe-settings/organisation.yaml @@ -0,0 +1,6 @@ +# https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/settings.yml +--- +repository: + allow_auto_merge: true + allow_update_branch: true + delete_branch_on_merge: true diff --git a/safe-settings/suborgs/rulesets.yaml b/safe-settings/suborgs/rulesets.yaml new file mode 100644 index 0000000..8612e11 --- /dev/null +++ b/safe-settings/suborgs/rulesets.yaml @@ -0,0 +1,19 @@ +# https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/suborg.yml +# --- +# suborgrepos: +# - "*" + +# rulesets: +# - name: Default +# target: branch +# enforcement: active + +# conditions: +# ref_name: +# include: +# - ~DEFAULT_BRANCH +# exclude: [] + +# rules: +# - type: deletion +# - type: non_fast_forward # prevents force pushes