github
diff --git a/‎.github/workflows/create-pre-release.yml‎
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/create-pre-release.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎.github/workflows/create-release.yml‎
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/create-release.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎.github/workflows/rc-release.yml‎
Lines changed: 4 additions & 4 deletions b/‎.github/workflows/rc-release.yml‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎NOTICE.md‎
Lines changed: 1 addition & 0 deletions b/‎NOTICE.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎README.md‎
Lines changed: 40 additions & 1 deletion b/‎README.md‎
Lines changed: 40 additions & 1 deletion
diff --git a/‎docs/github-settings/README.md‎
Lines changed: 2 additions & 1 deletion b/‎docs/github-settings/README.md‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎docs/status-checks.md‎
Lines changed: 172 additions & 0 deletions b/‎docs/status-checks.md‎
Lines changed: 172 additions & 0 deletions
diff --git a/‎lib/deploymentConfig.js‎
Lines changed: 7 additions & 11 deletions b/‎lib/deploymentConfig.js‎
Lines changed: 7 additions & 11 deletions
@@ -50,15 +50,15 @@ jobs:
           cache: 'npm'
       - run: npm install
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2
       - name: Log in to the Container registry
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image Locally
-        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4
         with:
           context: .
           file: ./Dockerfile
@@ -85,7 +85,7 @@ jobs:
           commitish: ${{ github.ref }}
       - name: Push Docker Image
         if: ${{ success() }}
-        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4
         with:
           context: .
           file: ./Dockerfile
 
@@ -28,15 +28,15 @@ jobs:
           cache: "npm"
       - run: npm install
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2
       - name: Log in to the Container registry
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image Locally
-        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4
         with:
           context: .
           file: ./Dockerfile
@@ -59,7 +59,7 @@ jobs:
           bump: final
       - name: Push Docker Image
         if: ${{ success() }}
-        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4
         with:
           context: .
           file: ./Dockerfile
 
@@ -68,15 +68,15 @@ jobs:
 
       - name: Extract metadata
         id: meta
-        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804
         with:
           images: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2
       - name: Build and push Docker image
-        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4
         with:
           context: .
           push: true
 
@@ -4,6 +4,7 @@
 - type-fest, 0.3.1,(MIT OR CC0-1.0),
 - type-fest, 0.6.0,(MIT OR CC0-1.0),
 - type-fest, 0.8.1,(MIT OR CC0-1.0),
+- @apidevtools/json-schema-ref-parser, MIT
 - @babel/code-frame, 7.12.13, MIT,
 - @babel/code-frame, 7.5.5, MIT,
 - @babel/compat-data, 7.13.11, MIT,
 
@@ -30,7 +30,6 @@
 > [!NOTE]
 > The `suborg` and `repo` level settings directory structure cannot be customized.
 >
-> Settings files must have a `.yml` extension only. For now, the `.yaml` extension is ignored.
 
 
 ## How it works
@@ -123,6 +122,46 @@ overridevalidators:
 
 A sample of `deployment-settings` file is found [here](docs/sample-settings/sample-deployment-settings.yml).
 
+### Custom Status Checks
+For branch protection rules and rulesets, you can allow for status checks to be defined outside of safe-settings together with your usual safe settings.
+
+This can be defined at the org, sub-org, and repo level.
+
+To configure this for branch protection rules, specify `{{EXTERNALLY_DEFINED}}` under the `contexts` keyword:
+```yaml
+branches:
+  - name: main
+    protection:
+      ...
+      required_status_checks:
+        contexts:
+          - "{{EXTERNALLY_DEFINED}}"
+```
+
+For rulesets, specify `{{EXTERNALLY_DEFINED}}` under the `required_status_checks` keyword:
+```yaml
+rulesets:
+  - name: Status Checks
+    ...
+    rules:
+      - type: required_status_checks
+        parameters:
+          required_status_checks:
+            - context: "{{EXTERNALLY_DEFINED}}"
+```
+
+Notes:
+  - For the same branch that is covered by multi-level branch protection rules, contexts defined at the org level are merged into the sub-org and repo level contexts, while contexts defined at the sub-org level are merged into the repo level contexts.
+  - Rules from the sub-org level are merged into the repo level when their ruleset share the same name. Becareful not to define the same rule type in both levels as it will be rejected by GitHub.
+  - When `{{EXTERNALLY_DEFINED}}` is defined for a new branch protection rule or ruleset configuration, they will be deployed with no status checks.
+  - When an existing branch protection rule or ruleset configuration is amended with `{{EXTERNALLY_DEFINED}}`, the status checks in the existing rules in GitHub will remain as is.
+
+> ⚠️ **Warning:**
+When `{{EXTERNALLY_DEFINED}}` is removed from an existing branch protection rule or ruleset configuration, the status checks in the existing rules in GitHub will revert to the checks that are defined in safe-settings. From this point onwards, all status checks configured through the GitHub UI will be reverted back to the safe-settings configuration.
+
+#### Status checks inheritance across scopes
+Refer to [Status checks](docs/status-checks.md).
+
 ### Performance
 When there are 1000s of repos to be managed -- and there is a global settings change -- safe-settings will have to work efficiently and only make the necessary API calls.
 
 
@@ -9,4 +9,5 @@
 | Configure branch protection rules | [Branch Protection](5.%20branch-protection.md) |
 | Configure deployment environments | [Deployment Environments](6.%20deployment-environments.md) |
 | Configure auto-link references | [AutoLinks](7.%20autolinks.md) |
-| Configure pre-defined labels for issues and pull requests | [Labels](8.%20labels.md) |
+| Configure pre-defined labels for issues and pull requests | [Labels](8.%20labels.md) |
+
@@ -0,0 +1,172 @@
+## Status checks inheritance across scopes
+
+### Rulesets
+
+The status checks between organisation and repository rulesets are independent of each together.
+
+In the following examples, a common ruleset name is used at all levels. Repo1 and Repo2 are managed at the Sub-org level.
+
+#### No custom checks
+```
+Org checks:
+  Org Check
+Sub-org checks:
+  Sub-org Check
+Repo checks for Repo2:
+  Repo Check
+```
+
+Status checks:
+  - Newly deployed rules:
+    - Org: Org Check
+    - Repo1: Sub-org Check
+    - Repo2: _Failed to deploy as required_status_checks can't be defined twice in both sub-org and repo level_
+  - Updating status checks via GitHub UI:
+    - Org: Status checks reverted back to safe settings
+    - Repo1: Status checks reverted back to safe settings
+    - Repo2: NA
+
+#### No custom checks 2
+```
+Org checks:
+  Org Check
+Sub-org checks:
+  Sub-org Check
+Repo checks for Repo2:
+  _NONE_
+```
+
+Status checks:
+  - Newly deployed rules:
+    - Org: Org Check
+    - Repo1: Sub-org Check
+    - Repo2: _NONE_
+  - Updating status checks via GitHub UI:
+    - Org: Status checks reverted back to safe settings
+    - Repo1: Status checks reverted back to safe settings
+    - Repo2: Custom status checks are retained
+
+**The remaining tests will leave Repo2 out of the Sub-org.**
+
+#### Custom checks enabled at the Org and Sub-org level
+```
+Org:
+  Org Check
+  {{EXTERNALLY_DEFINED}}
+Sub-org checks:
+  Sub-org Check
+  {{EXTERNALLY_DEFINED}}
+Repo checks for Repo2:
+  Repo Check
+```
+
+Status checks:
+  - Newly deployed rules:
+    - Org: []
+    - Repo1: []
+    - Repo2: Repo Check
+  - Updating status checks via GitHub UI:
+    - Org: Custom status checks are retained
+    - Repo1: Custom status checks are retained
+    - Repo2: Status checks reverted back to safe settings
+
+#### Custom checks enabled at the Repo level
+```
+Org:
+  Org Check
+Sub-org checks:
+  Sub-org Check
+Repo checks for Repo2:
+  Repo Check
+  {{EXTERNALLY_DEFINED}}
+```
+
+Status checks:
+  - Newly deployed rules:
+    - Org: Org Check
+    - Repo1: Sub-org Check
+    - Repo2: []
+  - Updating status checks via GitHub UI:
+    - Org: Status checks reverted back to safe settings
+    - Repo1: Status checks reverted back to safe settings
+    - Repo2: Custom status checks are retained
+
+
+### Branch protection rules
+
+In the following examples the `main` branch is protected at all levels. Repo1 and Repo2 are managed at the Sub-org level.
+
+#### No custom checks
+```
+Org checks:
+  Org Check
+Sub-org checks:
+  Sub-org Check
+Repo checks for Repo2:
+  Repo Check
+```
+
+Status checks:
+  - Newly deployed rules:
+    - Repo1: Org Check, Sub-org Check
+    - Repo2: Org Check, Sub-org Check, Repo Check
+  - Updating status checks via GitHub UI:
+    - Repo1: Status checks reverted back to safe settings
+    - Repo2: Status checks reverted back to safe settings
+
+#### Custom checks enabled at the Org level
+```
+Org:
+  Org Check
+  {{EXTERNALLY_DEFINED}}
+Sub-org checks:
+  Sub-org Check
+Repo checks for Repo2:
+  Repo Check
+```
+
+Status checks:
+  - Newly deployed rules:
+    - Repo1: []
+    - Repo2: []
+  - Updating status checks via GitHub UI:
+    - Repo1: Custom status checks are retained
+    - Repo2: Custom status checks are retained
+
+#### Custom checks enabled at the Sub-org level
+```
+Org:
+  Org Check
+Sub-org checks:
+  Sub-org Check
+  {{EXTERNALLY_DEFINED}}
+Repo checks for Repo2:
+  Repo Check
+```
+
+Status checks:
+  - Newly deployed rules:
+    - Repo1: []
+    - Repo2: []
+  - Updating status checks via GitHub UI:
+    - Repo1: Custom status checks are retained
+    - Repo2: Custom status checks are retained
+
+#### Custom checks enabled at the Repo level
+```
+Org:
+  Org Check
+Sub-org checks:
+  Sub-org Check
+Repo checks for Repo2:
+  Repo Check
+  {{EXTERNALLY_DEFINED}}
+```
+
+Status checks:
+  - Newly deployed rules:
+    - Repo1: Org Check, Sub-org Check
+    - Repo2: []
+  - Updating status checks via GitHub UI:
+    - Repo1: Status checks reverted back to safe settings
+    - Repo2: Custom status checks are retained
@@ -15,21 +15,21 @@ class DeploymentConfig {
   static {
     const deploymentConfigPath = env.DEPLOYMENT_CONFIG_FILE_PATH
     if (fs.existsSync(deploymentConfigPath)) {
-      this.config = yaml.load(fs.readFileSync(deploymentConfigPath))
+      this.config = yaml.load(fs.readFileSync(deploymentConfigPath)) || {}
     } else {
       this.config = { restrictedRepos: ['admin', '.github', 'safe-settings'] }
     }
 
-    const overridevalidators = this.config.overridevalidators
-    if (this.isIterable(overridevalidators)) {
+    const overridevalidators = this.config.overridevalidators || []
+    if (this.isNonEmptyArray(overridevalidators)) {
       for (const validator of overridevalidators) {
         // eslint-disable-next-line no-new-func
         const f = new Function('baseconfig', 'overrideconfig', 'githubContext', validator.script)
         this.overridevalidators[validator.plugin] = { canOverride: f, error: validator.error }
       }
     }
-    const configvalidators = this.config.configvalidators
-    if (this.isIterable(configvalidators)) {
+    const configvalidators = this.config.configvalidators || []
+    if (this.isNonEmptyArray(configvalidators)) {
       for (const validator of configvalidators) {
         // eslint-disable-next-line no-new-func
         const f = new Function('baseconfig', 'githubContext', validator.script)
@@ -38,12 +38,8 @@ class DeploymentConfig {
     }
   }
 
-  static isIterable (obj) {
-    // checks for null and undefined
-    if (obj == null) {
-      return false
-    }
-    return typeof obj[Symbol.iterator] === 'function'
+  static isNonEmptyArray (obj) {
+    return Array.isArray(obj) && obj.length > 0
   }
 
   // eslint-disable-next-line no-useless-constructor