Merge branch 'main-enterprise' into pull-request-full-context

Author: decyjphr

.github/workflows/create-pre-release.yml

@@ -50,15 +50,15 @@ jobs:
           cache: 'npm'
       - run: npm install
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2
       - name: Log in to the Container registry
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image Locally
-        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4
         with:
           context: .
           file: ./Dockerfile
@@ -85,7 +85,7 @@ jobs:
           commitish: ${{ github.ref }}
       - name: Push Docker Image
         if: ${{ success() }}
-        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4
         with:
           context: .
           file: ./Dockerfile

.github/workflows/create-release.yml

@@ -28,15 +28,15 @@ jobs:
           cache: "npm"
       - run: npm install
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2
       - name: Log in to the Container registry
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image Locally
-        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4
         with:
           context: .
           file: ./Dockerfile
@@ -59,7 +59,7 @@ jobs:
           bump: final
       - name: Push Docker Image
         if: ${{ success() }}
-        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4
         with:
           context: .
           file: ./Dockerfile

.github/workflows/rc-release.yml

@@ -68,15 +68,15 @@ jobs:
 
       - name: Extract metadata
         id: meta
-        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804
         with:
           images: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2
       - name: Build and push Docker image
-        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4
         with:
           context: .
           push: true

README.md

@@ -30,7 +30,6 @@
 > [!NOTE]
 > The `suborg` and `repo` level settings directory structure cannot be customized.
 >
-> Settings files must have a `.yml` extension only. For now, the `.yaml` extension is ignored.
 
 
 ## How it works

docs/github-action.md

@@ -38,13 +38,13 @@ jobs:
       - uses: actions/checkout@v4
         with:
           repository: github/safe-settings
-          ref: $SAFE_SETTINGS_VERSION
-          path: $SAFE_SETTINGS_CODE_DIR
+          ref: ${{ env.SAFE_SETTINGS_VERSION }}
+          path: ${{ env.SAFE_SETTINGS_CODE_DIR }}
       - uses: actions/setup-node@v4
       - run: npm install
-        working-directory: $SAFE_SETTINGS_CODE_DIR
+        working-directory: ${{ env.SAFE_SETTINGS_CODE_DIR }}
       - run: npm run full-sync
-        working-directory: $SAFE_SETTINGS_CODE_DIR
+        working-directory: ${{ env.SAFE_SETTINGS_CODE_DIR }}
         env:
           GH_ORG: ${{ vars.SAFE_SETTINGS_GH_ORG }}
           APP_ID: ${{ vars.SAFE_SETTINGS_APP_ID }}

docs/github-settings/6. deployment-environments.md

@@ -27,10 +27,14 @@ environments:
       - type: User
         id: 139262123
     deployment_branch_policy:
-      protected_branches: true
-      custom_branch_policies: false
+      protected_branches: false
+      custom_branch_policies:
+        - names: ['main','dev']
+          type: branch
+        - names: ['v*.*.*']
+          type: tag
     deployment_protection_rules:
-      - app_id: 25112  
+      - app_id: 25112
     variables:
       - name: MY_AWESOME_VAR
         value: '845705'
@@ -43,7 +47,8 @@ environments:
 >[!TIP]
 >GitHub's API documentation defines these inputs and types:
 >1. [Create or update an environment](https://docs.github.com/en/rest/deployments/environments?apiVersion=2022-11-28#create-or-update-an-environment)
->2. [Create an environment variable](https://docs.github.com/en/rest/actions/variables?apiVersion=2022-11-28#create-an-environment-variable)
+>2. [Create a deployment branch policy](https://docs.github.com/en/rest/deployments/branch-policies?apiVersion=2022-11-28#create-a-deployment-branch-policy)
+>3. [Create an environment variable](https://docs.github.com/en/rest/actions/variables?apiVersion=2022-11-28#create-an-environment-variable)
 
 <table>
 <tr><td>
@@ -126,11 +131,11 @@ environments:
 
 <details><summary>Properties of <code>deployment_branch_policy</code></summary>
 <br>
-<p>&emsp;<code>protected_branches</code><span style="color:gray;">&emsp;<i>string</i>&emsp;</span><span style="color:orange;">${\text{\color{orange}Required}}$</span></p>
-<p>&emsp;&emsp;Whether only branches with branch protection rules can deploy<br>&emsp;&emsp;to this environment. If <code>protected_branches</code> is <code>true</code>,<br>&emsp;&emsp;<code>custom_branch_policies</code> must be <code>false</code>; if <code>protected_branches</code><br>&emsp;&emsp;is <code>false</code>, <code>custom_branch_policies</code> must be <code>true</code>.</p>
+<p>&emsp;<code>protected_branches</code><span style="color:gray;">&emsp;<i>boolean</i>&emsp;</span><span style="color:orange;">${\text{\color{orange}Required}}$</span></p>
+<p>&emsp;&emsp;Whether only branches with branch protection rules can deploy<br>&emsp;&emsp;to this environment. If <code>protected_branches</code> is <code>true</code>,<br>&emsp;&emsp;<code>custom_branch_policies</code> must be <code>false</code>; if <code>protected_branches</code><br>&emsp;&emsp;is <code>false</code>, <code>custom_branch_policies</code> must be an object.</p>
 
-<p>&emsp;<code>id</code><span style="color:gray;">&emsp;<i>integer</i>&emsp;</span></p>
-<p>&emsp;&emsp;Whether only branches that match the specified name patterns<br>&emsp;&emsp;can deploy to this environment. If <code>custom_branch_policies</code><br>&emsp;&emsp;is <code>true</code>, <code>protected_branches</code> must be <code>false</code>; if<br>&emsp;&emsp;<code>custom_branch_policies</code> is <code>false</code>, <code>protected_branches</code><br>&emsp;&emsp;must be <code>true</code>.</p>
+<p>&emsp;<code>custom_branch_policies</code><span style="color:gray;">&emsp;<i>boolean or object</i>&emsp;</span></p>
+<p>&emsp;&emsp;Whether only branches that match the specified name patterns<br>&emsp;&emsp;can deploy to this environment. If <code>custom_branch_policies</code><br>&emsp;&emsp;is <code>false</code>, <code>protected_branches</code> must be <code>true</code>; if<br>&emsp;&emsp;<code>custom_branch_policies</code> is an object, <code>protected_branches</code><br>&emsp;&emsp;must be <code>false</code>.</p>
 
 </details>
 
@@ -142,8 +147,12 @@ environments:
   - name: production
     ...
     deployment_branch_policy:
-      protected_branches: true
-      custom_branch_policies: false
+      protected_branches: false
+      custom_branch_policies:
+        - names: ['main','dev']
+          type: branch
+        - names: ['v*.*.*']
+          type: tag
 ...
 ```
 

docs/github-settings/README.md

@@ -9,4 +9,5 @@
 | Configure branch protection rules | [Branch Protection](5.%20branch-protection.md) |
 | Configure deployment environments | [Deployment Environments](6.%20deployment-environments.md) |
 | Configure auto-link references | [AutoLinks](7.%20autolinks.md) |
-| Configure pre-defined labels for issues and pull requests | [Labels](8.%20labels.md) |
+| Configure pre-defined labels for issues and pull requests | [Labels](8.%20labels.md) |
+

full-sync.js

@@ -1,19 +1,28 @@
-const { createProbot } = require('probot')
 const appFn = require('./')
+const { FULL_SYNC_NOP } = require('./lib/env')
+const { createProbot } = require('probot')
+
+async function performFullSync (appFn, nop) {
+  const probot = createProbot()
+  probot.log.info(`Starting full sync with NOP=${nop}`)
 
-const probot = createProbot()
-probot.log.info('Starting full sync.')
-const app = appFn(probot, {})
-app.syncInstallation()
-  .then(settings => {
-    if (settings.errors.length > 0) {
+  try {
+    const app = appFn(probot, {})
+    const settings = await app.syncInstallation(nop)
+
+    if (settings.errors && settings.errors.length > 0) {
       probot.log.error('Errors occurred during full sync.')
       process.exit(1)
-    } else {
-      probot.log.info('Done with full sync.')
     }
-  })
-  .catch(error => {
+
+    probot.log.info('Full sync completed successfully.')
+  } catch (error) {
     process.stdout.write(`Unexpected error during full sync: ${error}\n`)
     process.exit(1)
-  })
+  }
+}
+
+performFullSync(appFn, FULL_SYNC_NOP).catch((error) => {
+  console.error('Fatal error during full sync:', error)
+  process.exit(1)
+})

index.js

@@ -28,7 +28,7 @@ module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) =>
       if (nop) {
         let filename = env.SETTINGS_FILE_PATH
         if (!deploymentConfig) {
-          filename = env.DEPLOYMENT_CONFIG_FILE
+          filename = env.DEPLOYMENT_CONFIG_FILE_PATH
           deploymentConfig = {}
         }
         const nopcommand = new NopCommand(filename, repo, null, e, 'ERROR')
@@ -53,7 +53,7 @@ module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) =>
       if (nop) {
         let filename = env.SETTINGS_FILE_PATH
         if (!deploymentConfig) {
-          filename = env.DEPLOYMENT_CONFIG_FILE
+          filename = env.DEPLOYMENT_CONFIG_FILE_PATH
           deploymentConfig = {}
         }
         const nopcommand = new NopCommand(filename, repo, null, e, 'ERROR')
@@ -78,7 +78,7 @@ module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) =>
       if (nop) {
         let filename = env.SETTINGS_FILE_PATH
         if (!deploymentConfig) {
-          filename = env.DEPLOYMENT_CONFIG_FILE
+          filename = env.DEPLOYMENT_CONFIG_FILE_PATH
           deploymentConfig = {}
         }
         const nopcommand = new NopCommand(filename, repo, null, e, 'ERROR')
@@ -104,7 +104,7 @@ module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) =>
       if (nop) {
         let filename = env.SETTINGS_FILE_PATH
         if (!deploymentConfig) {
-          filename = env.DEPLOYMENT_CONFIG_FILE
+          filename = env.DEPLOYMENT_CONFIG_FILE_PATH
           deploymentConfig = {}
         }
         const nopcommand = new NopCommand(filename, repo, null, e, 'ERROR')
@@ -123,7 +123,7 @@ module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) =>
    */
   async function loadYamlFileSystem () {
     if (deploymentConfig === undefined) {
-      const deploymentConfigPath = env.DEPLOYMENT_CONFIG_FILE
+      const deploymentConfigPath = env.DEPLOYMENT_CONFIG_FILE_PATH
       if (fs.existsSync(deploymentConfigPath)) {
         deploymentConfig = yaml.load(fs.readFileSync(deploymentConfigPath))
       } else {
@@ -134,7 +134,7 @@ module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) =>
   }
 
   function getAllChangedSubOrgConfigs (payload) {
-    const settingPattern = new Glob(`${env.CONFIG_PATH}/suborgs/*.yml`)
+    const settingPattern = Settings.SUB_ORG_PATTERN
     // Changes will be an array of files that were added
     const added = payload.commits.map(c => {
       return (c.added.filter(s => {
@@ -158,7 +158,7 @@ module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) =>
   }
 
   function getAllChangedRepoConfigs (payload, owner) {
-    const settingPattern = new Glob(`${env.CONFIG_PATH}/repos/*.yml`)
+    const settingPattern = Settings.REPO_PATTERN
     // Changes will be an array of files that were added
     const added = payload.commits.map(c => {
       return (c.added.filter(s => {
@@ -230,7 +230,7 @@ module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) =>
     }
   }
 
-  async function syncInstallation () {
+  async function syncInstallation (nop = false) {
     robot.log.trace('Fetching installations')
     const github = await robot.auth()
 
@@ -249,7 +249,7 @@ module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) =>
         log: robot.log,
         repo: () => { return { repo: env.ADMIN_REPO, owner: installation.account.login } }
       }
-      return syncAllSettings(false, context)
+      return syncAllSettings(nop, context)
     }
     return null
   }
@@ -270,11 +270,11 @@ module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) =>
     }
 
     const settingsModified = payload.commits.find(commit => {
-      return commit.added.includes(Settings.FILE_NAME) ||
-        commit.modified.includes(Settings.FILE_NAME)
+      return commit.added.includes(Settings.FILE_PATH) ||
+        commit.modified.includes(Settings.FILE_PATH)
     })
     if (settingsModified) {
-      robot.log.debug(`Changes in '${Settings.FILE_NAME}' detected, doing a full synch...`)
+      robot.log.debug(`Changes in '${Settings.FILE_PATH}' detected, doing a full synch...`)
       return syncAllSettings(false, context)
     }
 
@@ -292,7 +292,7 @@ module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) =>
       }))
     }
 
-    robot.log.debug(`No changes in '${Settings.FILE_NAME}' detected, returning...`)
+    robot.log.debug(`No changes in '${Settings.FILE_PATH}' detected, returning...`)
   })
 
   robot.on('create', async context => {
@@ -597,21 +597,21 @@ module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) =>
     const changes = await context.octokit.repos.compareCommitsWithBasehead(params)
     const files = changes.data.files.map(f => { return f.filename })
 
-    const settingsModified = files.includes(Settings.FILE_NAME)
+    const settingsModified = files.includes(Settings.FILE_PATH)
 
     if (settingsModified) {
-      robot.log.debug(`Changes in '${Settings.FILE_NAME}' detected, doing a full synch...`)
+      robot.log.debug(`Changes in '${Settings.FILE_PATH}' detected, doing a full synch...`)
       return syncAllSettings(true, context, context.repo(), pull_request.head.ref)
     }
 
-    const repoChanges = getChangedRepoConfigName(new Glob(`${env.CONFIG_PATH}/repos/*.yml`), files, context.repo().owner)
+    const repoChanges = getChangedRepoConfigName(Settings.REPO_PATTERN, files, context.repo().owner)
     if (repoChanges.length > 0) {
       return Promise.all(repoChanges.map(repo => {
         return syncSettings(true, context, repo, pull_request.head.ref)
       }))
     }
 
-    const subOrgChanges = getChangedSubOrgConfigName(new Glob(`${env.CONFIG_PATH}/suborgs/*.yml`), files, context.repo().owner)
+    const subOrgChanges = getChangedSubOrgConfigName(Settings.SUB_ORG_PATTERN, files, context.repo().owner)
     if (subOrgChanges.length) {
       return Promise.all(subOrgChanges.map(suborg => {
         return syncSubOrgSettings(true, context, suborg, context.repo(), pull_request.head.ref)

lib/deploymentConfig.js

@@ -13,23 +13,23 @@ class DeploymentConfig {
   static overridevalidators = {}
 
   static {
-    const deploymentConfigPath = process.env.DEPLOYMENT_CONFIG_FILE ? process.env.DEPLOYMENT_CONFIG_FILE : 'deployment-settings.yml'
+    const deploymentConfigPath = env.DEPLOYMENT_CONFIG_FILE_PATH
     if (fs.existsSync(deploymentConfigPath)) {
-      this.config = yaml.load(fs.readFileSync(deploymentConfigPath))
+      this.config = yaml.load(fs.readFileSync(deploymentConfigPath)) || {}
     } else {
       this.config = { restrictedRepos: ['admin', '.github', 'safe-settings'] }
     }
 
-    const overridevalidators = this.config.overridevalidators
-    if (this.isIterable(overridevalidators)) {
+    const overridevalidators = this.config.overridevalidators || []
+    if (this.isNonEmptyArray(overridevalidators)) {
       for (const validator of overridevalidators) {
         // eslint-disable-next-line no-new-func
         const f = new Function('baseconfig', 'overrideconfig', 'githubContext', validator.script)
         this.overridevalidators[validator.plugin] = { canOverride: f, error: validator.error }
       }
     }
-    const configvalidators = this.config.configvalidators
-    if (this.isIterable(configvalidators)) {
+    const configvalidators = this.config.configvalidators || []
+    if (this.isNonEmptyArray(configvalidators)) {
       for (const validator of configvalidators) {
         // eslint-disable-next-line no-new-func
         const f = new Function('baseconfig', 'githubContext', validator.script)
@@ -38,12 +38,8 @@ class DeploymentConfig {
     }
   }
 
-  static isIterable (obj) {
-    // checks for null and undefined
-    if (obj == null) {
-      return false
-    }
-    return typeof obj[Symbol.iterator] === 'function'
+  static isNonEmptyArray (obj) {
+    return Array.isArray(obj) && obj.length > 0
   }
 
   // eslint-disable-next-line no-useless-constructor