From 889cc0e750d982ecf5fc52b9fb4b85f77cb2b5e4 Mon Sep 17 00:00:00 2001 From: "Patrick J. Roddy" Date: Mon, 6 Jan 2025 16:34:34 +0000 Subject: [PATCH 1/3] Add Safe-Settings app to manage policy as code --- .github/workflows/safe-settings.yaml | 66 ++++++++++++++ .renovaterc.json5 | 18 ++++ safe-settings/README.md | 60 ++++++++++++ safe-settings/deployment.yaml | 132 +++++++++++++++++++++++++++ safe-settings/organisation.yaml | 6 ++ safe-settings/suborgs/rulesets.yaml | 19 ++++ 6 files changed, 301 insertions(+) create mode 100644 .github/workflows/safe-settings.yaml create mode 100644 .renovaterc.json5 create mode 100644 safe-settings/README.md create mode 100644 safe-settings/deployment.yaml create mode 100644 safe-settings/organisation.yaml create mode 100644 safe-settings/suborgs/rulesets.yaml diff --git a/.github/workflows/safe-settings.yaml b/.github/workflows/safe-settings.yaml new file mode 100644 index 0000000..3455ec5 --- /dev/null +++ b/.github/workflows/safe-settings.yaml @@ -0,0 +1,66 @@ +--- +name: Safe Settings Sync +on: + push: + branches: + - main + pull_request: + paths: + - safe-settings/** + - .github/workflows/safe-settings.yaml + schedule: + - cron: 0 */4 * * * + workflow_dispatch: {} + +concurrency: + cancel-in-progress: true + group: >- + ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + +jobs: + safe-settings-sync: + runs-on: ubuntu-latest + env: + SAFE_SETTINGS_VERSION: 2.1.14 + SAFE_SETTINGS_CODE_DIR: .safe-settings-code + steps: + - name: Checkout source + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + + - name: Checkout GitHub Safe-Settings repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + path: ${{ env.SAFE_SETTINGS_CODE_DIR }} + ref: ${{ env.SAFE_SETTINGS_VERSION }} + repository: github/safe-settings + + - name: Setup Node.js + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4 + with: + cache-dependency-path: + ${{ env.SAFE_SETTINGS_CODE_DIR }}/package-lock.json + cache: npm + node-version-file: ${{ env.SAFE_SETTINGS_CODE_DIR }}/.nvmrc + + - name: Install dependencies + run: npm install + working-directory: ${{ env.SAFE_SETTINGS_CODE_DIR }} + + - name: Run application + run: npm run full-sync + working-directory: ${{ env.SAFE_SETTINGS_CODE_DIR }} + env: + ADMIN_REPO: .github + APP_ID: ${{ vars.SAFE_SETTINGS_APP_ID }} + BLOCK_REPO_RENAME_BY_HUMAN: false + CONFIG_PATH: safe-settings + DEPLOYMENT_CONFIG_FILE: + ${{ github.workspace }}/safe-settings/deployment.yaml + ENABLE_PR_COMMENT: true + GH_ORG: ${{ vars.SAFE_SETTINGS_GH_ORG }} + GITHUB_CLIENT_ID: ${{ vars.SAFE_SETTINGS_GITHUB_CLIENT_ID }} + GITHUB_CLIENT_SECRET: + ${{ secrets.SAFE_SETTINGS_GITHUB_CLIENT_SECRET }} + LOG_LEVEL: trace + PRIVATE_KEY: ${{ secrets.SAFE_SETTINGS_PRIVATE_KEY }} + SETTINGS_FILE_PATH: organisation.yaml diff --git a/.renovaterc.json5 b/.renovaterc.json5 new file mode 100644 index 0000000..ed4ad9d --- /dev/null +++ b/.renovaterc.json5 @@ -0,0 +1,18 @@ +{ + $schema: "https://docs.renovatebot.com/renovate-schema.json", + extends: [ + "github>UCL-ARC/.github//renovate/default-config.json", + ":assignAndReview(paddyroddy)", + ":automergeAll", + ], + customManagers: [ + { + customType: "regex", + description: "Update GitHub Safe-Settings version", + fileMatch: [".github/workflows/safe-settings.yaml$"], + matchStrings: ["SAFE_SETTINGS_VERSION:\\s(?.*)"], + depNameTemplate: "github/safe-settings", + datasourceTemplate: "github-releases", + }, + ], +} \ No newline at end of file diff --git a/safe-settings/README.md b/safe-settings/README.md new file mode 100644 index 0000000..2efb13b --- /dev/null +++ b/safe-settings/README.md @@ -0,0 +1,60 @@ +# Safe-Settings + +[Safe-Settings](https://github.com/github/safe-settings) is a way to manage +policy-as-code and apply repository settings across the organisation. A +[GitHub App](https://github.com/apps/rits-safe-settings) has been set up which +the [GitHub Action](../.github/workflows/safe-settings.yaml) uses to apply the +settings on a cron schedule. The settings here are a reduced set used in the +[https://github.com/UCL-MIRSG/.github repository](https://github.com/UCL-MIRSG/.github/tree/main/safe-settings). + +## Configuration Files + +There are four types of settings that can be applied: + +- [Deployment](https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/sample-deployment-settings.yml) + which defines deployment and runtime settings. +- [Organisation](https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/settings.yml) + which can be used to define org-level settings. +- [Repository](https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/repo.yml) + which can be used to define repo-level settings. +- [Suborganisation](https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/suborg.yml) + which can be used to define suborganisation-level settings. + +Beyond these example configurations one can read more about potential settings +to apply in the +[documentation](https://github.com/github/safe-settings/tree/main-enterprise/docs/github-settings). +The precedence order for configuration is `repository` > `suborganisation` > +`organisation`. + +## The Settings in This Repository + +### Deployment + +The [deployment settings](deployment.yaml) are used to exclude archived +repositories from the Safe-Settings app. This is because these repositories are +read-only and hence cannot be modified. Rather than having the GitHub Action +fail on these repositories, they are excluded from the run. + +### Organisation + +The [organisation settings](organisation.yaml) are used to define general +repository settings for all repositories across the organisation. These settings +are applied to all repositories unless the precedence order is overridden by the +suborganisation settings (or repository settings). + +### Suborganisation + +The [suborganisation settings](suborgs/rulesets.yaml) are being used to define +[rulesets](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets) +for all repositories across the organisation. The `rulesets` available in the +organisation settings are defined for the organisation itself rather than +individual repositories, so they cannot be set via organisation settings. This +hack is done through + +```yaml +suborgrepos: + - "*" +``` + +at the top of the file. Further explanation can be found in the +[Safe-Settings issues](https://github.com/github/safe-settings/issues/553#issuecomment-2552578978). diff --git a/safe-settings/deployment.yaml b/safe-settings/deployment.yaml new file mode 100644 index 0000000..3045949 --- /dev/null +++ b/safe-settings/deployment.yaml @@ -0,0 +1,132 @@ +# https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/sample-deployment-settings.yml +--- +restrictedRepos: + # these repos are all archived and will cause the GHA to fail + # https://github.com/github/safe-settings/issues/443 + exclude: + - ^2014-11-06-ucl$ + - ^2015-11-10-UCL_software_carpentry$ + - ^2016-02-17-UCL_software_carpentry$ + - ^2016-06-22-UCL_software_carpentry$ + - ^2016-09-22-UCL_software_carpentry$ + - ^2016-12-13-UCL_software_carpentry$ + - ^2017-04-27-UCL_software_carpentry$ + - ^2017-07-25-UCL_software_carpentry$ + - ^2017-09-25-UCL_software_carpentry$ + - ^2017-10-31-UCL_software_carpentry$ + - ^2017-12-14-UCL_software_carpentry$ + - ^2018-04-25-UCL_software_carpentry$ + - ^2018-06-26-UCL_software_carpentry$ + - ^2018-08-28-UCL_software_carpentry$ + - ^2018-09-26-UCL_software_carpentry$ + - ^2018-11-07-UCL_software_carpentry$ + - ^2019-04-08-UCL_software_carpentry$ + - ^2019-07-15-UCL_software_carpentry$ + - ^2019-09-25-UCL_software_carpentry$ + - ^2019-11-04-UCL_software_carpentry$ + - ^2020-02-18_UCL_software_carpentry$ + - ^2020-07-27-UCL_hpc_carpentry$ + - ^2020-09-30_UCL_software_carpentry$ + - ^2020-11-25-rslondon$ + - ^2021-03-09_UCL_software_carpentry$ + - ^2021-05-17-UCL_hpc_carpentry$ + - ^2021-07-19-UCL-software-carpentry-online$ + - ^2021-09-29-ucl-online$ + - ^2021-11-22-UCL-HPCCarpentry-online$ + - ^2023-02-13-swc-ucl$ + - ^201711_ciHPC$ + - ^A-Team-Roadmap-2017-notes$ + - ^bash-give$ + - ^bempp-clientapp$ + - ^bempp-marketplace$ + - ^BinaryBlobs-dependencies$ + - ^black-garlic$ + - ^CAF_play$ + - ^ci-helpers$ + - ^clinician-carpentry-python$ + - ^CloudLabs$ + - ^ClusterStats-Gold$ + - ^CMakeCatchMPI$ + - ^COVID-19-website$ + - ^CSB-structural-bio-tools$ + - ^DashPykpi$ + - ^data-classification$ + - ^DeCon-Export$ + - ^DECOVID-projectmgmt$ + - ^django-shibboleth-remoteuser$ + - ^doctoral-programming-intro$ + - ^emerald_play$ + - ^exams$ + - ^ExCALIBUR-HES$ + - ^friend-group-2020$ + - ^GeographyTraining$ + - ^getcwd-autoretry-preload$ + - ^GFR-calculator$ + - ^gh-action-docker$ + - ^gitter-test$ + - ^gitworkshop$ + - ^go-ldap$ + - ^Gold$ + - ^GridEngine-OpenSSH$ + - ^hello_ci$ + - ^hemelb$ + - ^homebrew-rsdt$ + - ^homebrew-science$ + - ^HPC-Acceptance-Tests$ + - ^icu-dashboard$ + - ^indigo-dexy$ + - ^indigo_django$ + - ^intro-research-prog$ + - ^intro-to-shell$ + - ^ipls-workshop$ + - ^iwos$ + - ^jekyll-idio$ + - ^jenkins-hpc-scheduler$ + - ^jenkins-job-builder-files$ + - ^keyscan$ + - ^Legion-Fabric-Scaffold$ + - ^licenselogparse$ + - ^marking_tool$ + - ^MMMHub-SAFE$ + - ^MPHYG_Exams$ + - ^OnlineCourses$ + - ^oracc-corpus$ + - ^Packaging$ + - ^parkingSpace$ + - ^PHAS0100_Caching$ + - ^PHAS0100_Optimisation$ + - ^PHAS0100_Profiling$ + - ^PHAS0100_Sorting$ + - ^puppeteer-rampart-screenshot$ + - ^rc-docs$ + - ^rc_puppet$ + - ^rcps-intro-training-materials-beamer$ + - ^rcps-singularity-recipes$ + - ^research-computing-with-cpp-demo$ + - ^research-se-python$ + - ^research-software-teaching$ + - ^rhel6-install$ + - ^rhel7-ldap-nfs$ + - ^rits-reporting$ + - ^RSD-Dashboard-puppet-module$ + - ^RSD-Infrastructure$ + - ^rsd-rag$ + - ^rsd-sagital_average$ + - ^rsd-web-resources$ + - ^rsd_puppet$ + - ^rsdg-ci-reboot$ + - ^RSDG_HPC$ + - ^rse-classwork-2020$ + - ^sge-to-icinga$ + - ^sopt$ + - ^spack4jenkins$ + - ^spack_packages$ + - ^SpringDatabaseMultiplexing$ + - ^tailoredrcstats$ + - ^test-pages-custom$ + - ^travis_example$ + - ^ucl-gtr$ + - ^ucl-rits.github.io$ + - ^ucl_reprohack_2020$ + - ^UsefulModuleFunctions$ + - ^vetii$ diff --git a/safe-settings/organisation.yaml b/safe-settings/organisation.yaml new file mode 100644 index 0000000..8f71ea7 --- /dev/null +++ b/safe-settings/organisation.yaml @@ -0,0 +1,6 @@ +# https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/settings.yml +--- +repository: + allow_auto_merge: true + allow_update_branch: true + delete_branch_on_merge: true diff --git a/safe-settings/suborgs/rulesets.yaml b/safe-settings/suborgs/rulesets.yaml new file mode 100644 index 0000000..8612e11 --- /dev/null +++ b/safe-settings/suborgs/rulesets.yaml @@ -0,0 +1,19 @@ +# https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/suborg.yml +# --- +# suborgrepos: +# - "*" + +# rulesets: +# - name: Default +# target: branch +# enforcement: active + +# conditions: +# ref_name: +# include: +# - ~DEFAULT_BRANCH +# exclude: [] + +# rules: +# - type: deletion +# - type: non_fast_forward # prevents force pushes From e8ad820eac5f676e811aca55c1f545a0fafab6fd Mon Sep 17 00:00:00 2001 From: "Patrick J. Roddy" Date: Mon, 6 Jan 2025 16:38:05 +0000 Subject: [PATCH 2/3] New line --- .renovaterc.json5 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.renovaterc.json5 b/.renovaterc.json5 index ed4ad9d..f34742b 100644 --- a/.renovaterc.json5 +++ b/.renovaterc.json5 @@ -15,4 +15,4 @@ datasourceTemplate: "github-releases", }, ], -} \ No newline at end of file +} From 662a6da963578195c1fcd48bb31d4c5eee0bdbd9 Mon Sep 17 00:00:00 2001 From: "Patrick J. Roddy" Date: Tue, 7 Jan 2025 12:33:28 +0000 Subject: [PATCH 3/3] Point to MIRSG repo --- safe-settings/README.md | 60 ++--------------------------------------- 1 file changed, 2 insertions(+), 58 deletions(-) diff --git a/safe-settings/README.md b/safe-settings/README.md index 2efb13b..bfdec86 100644 --- a/safe-settings/README.md +++ b/safe-settings/README.md @@ -1,60 +1,4 @@ # Safe-Settings -[Safe-Settings](https://github.com/github/safe-settings) is a way to manage -policy-as-code and apply repository settings across the organisation. A -[GitHub App](https://github.com/apps/rits-safe-settings) has been set up which -the [GitHub Action](../.github/workflows/safe-settings.yaml) uses to apply the -settings on a cron schedule. The settings here are a reduced set used in the -[https://github.com/UCL-MIRSG/.github repository](https://github.com/UCL-MIRSG/.github/tree/main/safe-settings). - -## Configuration Files - -There are four types of settings that can be applied: - -- [Deployment](https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/sample-deployment-settings.yml) - which defines deployment and runtime settings. -- [Organisation](https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/settings.yml) - which can be used to define org-level settings. -- [Repository](https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/repo.yml) - which can be used to define repo-level settings. -- [Suborganisation](https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/suborg.yml) - which can be used to define suborganisation-level settings. - -Beyond these example configurations one can read more about potential settings -to apply in the -[documentation](https://github.com/github/safe-settings/tree/main-enterprise/docs/github-settings). -The precedence order for configuration is `repository` > `suborganisation` > -`organisation`. - -## The Settings in This Repository - -### Deployment - -The [deployment settings](deployment.yaml) are used to exclude archived -repositories from the Safe-Settings app. This is because these repositories are -read-only and hence cannot be modified. Rather than having the GitHub Action -fail on these repositories, they are excluded from the run. - -### Organisation - -The [organisation settings](organisation.yaml) are used to define general -repository settings for all repositories across the organisation. These settings -are applied to all repositories unless the precedence order is overridden by the -suborganisation settings (or repository settings). - -### Suborganisation - -The [suborganisation settings](suborgs/rulesets.yaml) are being used to define -[rulesets](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets) -for all repositories across the organisation. The `rulesets` available in the -organisation settings are defined for the organisation itself rather than -individual repositories, so they cannot be set via organisation settings. This -hack is done through - -```yaml -suborgrepos: - - "*" -``` - -at the top of the file. Further explanation can be found in the -[Safe-Settings issues](https://github.com/github/safe-settings/issues/553#issuecomment-2552578978). +See instructions on the [UCL-MIRSG +repository](https://github.com/UCL-MIRSG/.github/blob/main/safe-settings/README.md).