Merge branch 'main-enterprise' into yj-repo-in-many-suborgs

Author: decyjphr

.github/workflows/deploy-k8s.yml

@@ -29,35 +29,35 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
-      - uses: azure/login@v1
+      - uses: azure/login@v2
         with:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} 
-      - uses: azure/aks-set-context@v3
+      - uses: azure/aks-set-context@v4
         with:
           resource-group: ${{env.AZURE_RESOURCE_GROUP}}
           cluster-name: ${{env.AZURE_AKS_CLUSTER}}
         id: login
       - run: |
           kubectl get deployment
       - name: app-env
-        uses: azure/k8s-create-secret@v4
+        uses: azure/k8s-create-secret@v5
         with:
           namespace: 'default'
           secret-type: 'generic'
           arguments:  --from-literal=APP_ID=${{ secrets.APP_ID }} --from-literal=PRIVATE_KEY=${{ secrets.PRIVATE_KEY }} --from-literal=WEBHOOK_SECRET=${{ secrets.WEBHOOK_SECRET }}
           secret-name: app-env
       - name: Set imagePullSecret
-        uses: azure/k8s-create-secret@v4
+        uses: azure/k8s-create-secret@v5
         with:
           namespace: ${{env.AZURE_AKS_NAMESPACE}}
           container-registry-url: ${{env.IMAGE_REGISTRY_URL}}
           container-registry-username: ${{ secrets.DOCKER_USERNAME }}
           container-registry-password: ${{ secrets.DOCKER_PASSWORD }}
           secret-name: 'image-pull-secret'
         id: create-secret
-      - uses: Azure/k8s-deploy@v4.10
+      - uses: Azure/k8s-deploy@v5
         with:
           namespace: ${{env.AZURE_AKS_NAMESPACE}}
           manifests: |

README.md

@@ -32,8 +32,12 @@
 >
 > Settings files must have a `.yml` extension only. For now, the `.yaml` extension is ignored.
 
+
 ## How it works
 
+`Safe-settings` is designed to run as a service listening for webhook events or as a scheduled job running on some regular cadence. It can also be triggered through GitHub Actions. (See the [How to use](#how-to-use) section for details on deploying and configuring.)
+
+
 ### Events
 The App listens to the following webhook events:
 
@@ -286,7 +290,21 @@ The following can be configured:
 - `Rulesets`
 - `Environments` - wait timer, required reviewers, prevent self review, protected branches deployment branch policy, custom deployment branch policy, variables, deployment protection rules
 
-It is possible to provide an `include` or `exclude` settings to restrict the `collaborators`, `teams`, `labels` to a list of repos or exclude a set of repos for a collaborator.
+> [!important]
+> It is possible to provide an `include` or `exclude` settings to restrict the `collaborators`, `teams`, `labels` to a list of repos or exclude a set of repos for a collaborator. 
+> The include/exclude pattern can also be for glob. For e.g.:
+```
+teams:
+  - name: Myteam-admins
+    permission: admin
+  - name: Myteam-developers
+    permission: push
+  - name: Other-team
+    permission: push
+    include:
+      - '*-config'
+```
+> Will only add `Other-team` to only `*-config` repos
 
 See [`docs/sample-settings/settings.yml`](docs/sample-settings/settings.yml) for a sample settings file.
 
@@ -364,11 +382,13 @@ You can pass environment variables; the easiest way to do it is via a `.env` fil
 
 ## How to use
 
-1. __[Deploy and install the app](docs/deploy.md)__.
+1. Create an `admin` repo (or an alternative of your choosing) within your organization. Remember to set `CONFIG_REPO` if you choose something other than `admin`. See [Environment variables](#environment-variables) for more details.
+
+2. Add the settings for the `org`, `suborgs`, and `repos`. Sample files can be found [here](docs/sample-settings).
+
+3. __[Deploy and install the app](docs/deploy.md)__.  Alternatively, the __[GitHub Actions Guide](docs/github-action.md)__ describes how to run `safe-settings` with GitHub Actions.
 
-2. Create an `admin` repo (or an alternative of your choosing) within your organization. Remember to set `CONFIG_REPO` if you choose something other than `admin`. See [Environment variables](#environment-variables) for more details.
 
-3. Add the settings for the `org`, `suborgs`, and `repos`. Sample files can be found [here](docs/sample-settings).
 
 
 ## License

docs/github-action.md

@@ -0,0 +1,57 @@
+# Running Safe-settings with GitHub Actions (GHA)
+
+This guide describes how to schedule a full safe-settings sync using GitHub Actions. This assumes that an `admin` repository has been configured with your `safe-settings` configuration. Refer to the [How to Use](../README.md#how-to-use) docs for more details on that process.
+
+
+## GitHub App Creation
+Follow the [Create the GitHub App](deploy.md#create-the-github-app) guide to create an App in your GitHub account. This will allow `safe-settings` to access and modify your repos.
+
+
+## Defining the GitHub Action Workflow
+Running a full-sync with `safe-settings` can be done via `npm run full-sync`. This requires installing Node, such as with [actions/setup-node](https://github.com/actions/setup-node) (see example below). When doing so, the appropriate environment variables must be set (see the [Environment variables](#environment-variables) document for more details).
+
+
+### Example GHA Workflow
+The below example uses the GHA "cron" feature to run a full-sync every 4 hours. While not required, this example uses the `.github` repo as the `admin` repo (set via `ADMIN_REPO` env var) and the safe-settings configurations are stored in the `safe-settings/` directory (set via `CONFIG_PATH` and `DEPLOYMENT_CONFIG_FILE`).
+
+```yaml
+name: Safe Settings Sync
+on:
+  schedule:
+    - cron: "0 */4 * * *"
+  workflow_dispatch: {}
+
+jobs:
+  safeSettingsSync:
+    runs-on: ubuntu-latest
+    env:
+      # Version/tag of github/safe-settings repo to use:
+      SAFE_SETTINGS_VERSION: 2.1.13
+
+      # Path on GHA runner box where safe-settings code downloaded to:
+      SAFE_SETTINGS_CODE_DIR: ${{ github.workspace }}/.safe-settings-code
+    steps:
+      # Self-checkout of 'admin' repo for access to safe-settings config:
+      - uses: actions/checkout@v4
+
+      # Checkout of safe-settings repo for running full sync:
+      - uses: actions/checkout@v4
+        with:
+          repository: github/safe-settings
+          ref: $SAFE_SETTINGS_VERSION
+          path: $SAFE_SETTINGS_CODE_DIR
+      - uses: actions/setup-node@v4
+      - run: npm install
+        working-directory: $SAFE_SETTINGS_CODE_DIR
+      - run: npm run full-sync
+        working-directory: $SAFE_SETTINGS_CODE_DIR
+        env:
+          GH_ORG: ${{ vars.SAFE_SETTINGS_GH_ORG }}
+          APP_ID: ${{ vars.SAFE_SETTINGS_APP_ID }}
+          PRIVATE_KEY: ${{ secrets.SAFE_SETTINGS_PRIVATE_KEY }}
+          GITHUB_CLIENT_ID: ${{ vars.SAFE_SETTINGS_GITHUB_CLIENT_ID }}
+          GITHUB_CLIENT_SECRET: ${{ secrets.SAFE_SETTINGS_GITHUB_CLIENT_SECRET }}
+          ADMIN_REPO: .github
+          CONFIG_PATH: safe-settings
+          DEPLOYMENT_CONFIG_FILE: ${{ github.workspace }}/safe-settings/deployment-settings.yml
+```

docs/github-settings/6. deployment-environments.md

@@ -29,6 +29,8 @@ environments:
     deployment_branch_policy:
       protected_branches: true
       custom_branch_policies: false
+    deployment_protection_rules:
+      - app_id: 25112  
     variables:
       - name: MY_AWESOME_VAR
         value: '845705'

full-sync.js

@@ -0,0 +1,19 @@
+const { createProbot } = require('probot')
+const appFn = require('./')
+
+const probot = createProbot()
+probot.log.info('Starting full sync.')
+const app = appFn(probot, {})
+app.syncInstallation()
+  .then(settings => {
+    if (settings.errors.length > 0) {
+      probot.log.error('Errors occurred during full sync.')
+      process.exit(1)
+    } else {
+      probot.log.info('Done with full sync.')
+    }
+  })
+  .catch(error => {
+    process.stdout.write(`Unexpected error during full sync: ${error}\n`)
+    process.exit(1)
+  })

lib/mergeDeep.js

@@ -1,7 +1,7 @@
 const mergeBy = require('./mergeArrayBy')
 const DeploymentConfig = require('./deploymentConfig')
 
-const NAME_FIELDS = ['name', 'username', 'actor_id', 'login', 'type', 'key_prefix']
+const NAME_FIELDS = ['name', 'username', 'actor_id', 'login', 'type', 'key_prefix', 'context']
 const NAME_USERNAME_PROPERTY = item => NAME_FIELDS.find(prop => Object.prototype.hasOwnProperty.call(item, prop))
 const GET_NAME_USERNAME_PROPERTY = item => { if (NAME_USERNAME_PROPERTY(item)) return item[NAME_USERNAME_PROPERTY(item)] }
 
@@ -91,6 +91,10 @@ class MergeDeep {
     // One of the oddities is when we compare objects, we are only interested in the properties of source
     // So any property in the target that is not in the source is not treated as a deletion
     for (const key in source) {
+      // Skip prototype pollution vectors
+      if (key === "__proto__" || key === "constructor") {
+        continue;
+      }
       // Logic specific for Github
       // API response includes urls for resources, or other ignorable fields; we can ignore them
       if (key.indexOf('url') >= 0 || this.ignorableFields.indexOf(key) >= 0) {

lib/plugins/diffable.js

@@ -22,6 +22,7 @@
 const ErrorStash = require('./errorStash')
 const MergeDeep = require('../mergeDeep')
 const NopCommand = require('../nopcommand')
+const Glob = require('../glob')
 const ignorableFields = ['id', 'node_id', 'default', 'url']
 module.exports = class Diffable extends ErrorStash {
   constructor (nop, github, repo, entries, log, errors) {
@@ -39,7 +40,10 @@ module.exports = class Diffable extends ErrorStash {
     // this.log.debug(` entries ${JSON.stringify(filteredEntries)}`)
     filteredEntries = filteredEntries.filter(attrs => {
       if (Array.isArray(attrs.exclude)) {
-        if (!attrs.exclude.includes(this.repo.repo)) {
+        const excludeGlobs = attrs.exclude.map(exc => new Glob(exc));
+        const excludeGlobsMatch = excludeGlobs.some(glob => !!this.repo.repo.match(glob));
+
+        if (!attrs.exclude.includes(this.repo.repo) && !excludeGlobsMatch) {
           // this.log.debug(`returning not excluded entry = ${JSON.stringify(attrs)} for repo ${this.repo.repo}`)
           return true
         } else {
@@ -53,7 +57,10 @@ module.exports = class Diffable extends ErrorStash {
     })
     filteredEntries = filteredEntries.filter(attrs => {
       if (Array.isArray(attrs.include)) {
-        if (attrs.include.includes(this.repo.repo)) {
+        const includeGlobs = attrs.include.map(inc => new Glob(inc));
+        const includeGlobsMatch = includeGlobs.some(glob => !!this.repo.repo.match(glob));
+
+        if (attrs.include.includes(this.repo.repo) || includeGlobsMatch) {
           // this.log.debug(`returning included entry  = ${JSON.stringify(attrs)} for repo ${this.repo.repo}`)
           return true
         } else {

lib/settings.js

@@ -22,6 +22,7 @@ class Settings {
       settings.logError(error.message)
       await settings.handleResults()
     }
+    return settings
   }
 
   static async syncSubOrgs(nop, context, suborg, repo, config, ref) {