Merge branch 'main-enterprise' into pull-request-full-context

Author: decyjphr

README.md

@@ -1,6 +1,11 @@
-# GitHub Safe-Settings
+# 🛡️ GitHub Safe-Settings
 
 [![Create a release](https://github.com/github/safe-settings/actions/workflows/create-release.yml/badge.svg)](https://github.com/github/safe-settings/actions/workflows/create-release.yml)
+[![License: ISC](https://img.shields.io/badge/License-ISC-blue.svg)](https://opensource.org/licenses/ISC)
+[![Node.js Version](https://img.shields.io/badge/node-%3E%3D18.0.0-brightgreen.svg)](https://nodejs.org/)
+
+> **Policy-as-Code for GitHub Organizations**  
+> Centrally manage and enforce repository settings, branch protections, teams, and more across your entire GitHub organization.
 
 `Safe-settings` – an app to manage policy-as-code and apply repository settings across an organization.
 
@@ -29,8 +34,121 @@
 
 > [!NOTE]
 > The `suborg` and `repo` level settings directory structure cannot be customized.
->
 
+## 🚀 Quick Start
+
+### 1. **Deploy Safe-Settings**
+
+Choose your preferred deployment method:
+
+- **🌟 AWS Lambda (**: Use the [SafeSettings-Template](https://github.com/bheemreddy181/SafeSettings-Template) for production-ready deployment with Docker containers, GitHub Actions CI/CD, and comprehensive testing
+- **🐳 Docker**: Deploy using Docker containers locally or in your infrastructure
+- **☁️ Cloud Platforms**: Deploy to Heroku, Glitch, or Kubernetes
+
+👉 **[View all deployment options →](docs/deploy.md)**
+
+### 2. **Create Admin Repository**
+
+Create an `admin` repository in your organization to store all configuration files:
+
+```bash
+# Create admin repo in your organization
+gh repo create your-org/admin --private
+```
+
+### 3. **Configure Settings Structure**
+
+Set up your configuration files in the admin repository:
+
+```
+admin/
+├── .github/
+│   ├── settings.yml          # Organization-wide settings
+│   ├── suborgs/              # Sub-organization settings
+│   │   ├── frontend-team.yml
+│   │   └── backend-team.yml
+│   └── repos/                # Repository-specific settings
+│       ├── api-service.yml
+│       └── web-app.yml
+```
+
+### 4. **Install GitHub App**
+
+Install the Safe-Settings GitHub App in your organization with the required permissions.
+
+👉 **[Complete setup guide →](#how-to-use)**
+
+## 📊 Visual Architecture
+
+### Configuration Hierarchy
+
+```mermaid
+graph TD
+    A[Organization Settings<br/>.github/settings.yml] --> B[Sub-Organization Settings<br/>.github/suborgs/*.yml]
+    B --> C[Repository Settings<br/>.github/repos/*.yml]
+    
+    style A fill:#e1f5fe,stroke:#01579b,stroke-width:2px,color:#000
+    style B fill:#f3e5f5,stroke:#4a148c,stroke-width:2px,color:#000
+    style C fill:#e8f5e8,stroke:#1b5e20,stroke-width:2px,color:#000
+```
+
+**Precedence Order**: Repository > Sub-Organization > Organization
+
+### Request Flow
+
+```mermaid
+sequenceDiagram
+    participant GH as GitHub
+    participant SS as Safe-Settings
+    participant AR as Admin Repo
+    participant TR as Target Repos
+    
+    Note over GH,TR: Webhook Event Processing
+    
+    GH->>+SS: Webhook Event<br/>(push, repo created, etc.)
+    SS->>SS: Validate Event Source
+    SS->>+AR: Fetch Configuration Files<br/>(.github/settings.yml, suborgs/, repos/)
+    AR-->>-SS: Return Config Files
+    
+    SS->>SS: Merge Configurations<br/>(Org → Suborg → Repo)
+    SS->>SS: Compare with Current<br/>GitHub Settings
+    
+    alt Configuration Changes Detected
+        SS->>+TR: Apply Settings<br/>(Branch Protection, Teams, etc.)
+        TR-->>-SS: Confirm Changes
+        SS->>GH: Create Check Run<br/>(Success/Failure)
+    else No Changes Needed
+        SS->>GH: Create Check Run<br/>(No Changes)
+    end
+    
+    SS-->>-GH: HTTP 200 Response
+    
+    Note over GH,TR: Pull Request Validation (Dry-Run Mode)
+    
+    GH->>+SS: PR Event<br/>(opened, synchronize)
+    SS->>+AR: Fetch PR Changes<br/>(Modified Config Files)
+    AR-->>-SS: Return Changed Configs
+    
+    SS->>SS: Validate Changes<br/>(Dry-Run Mode)
+    SS->>SS: Run Custom Validators<br/>(if configured)
+    
+    alt Validation Passes
+        SS->>GH: ✅ Check Success<br/>+ PR Comment (optional)
+    else Validation Fails
+        SS->>GH: ❌ Check Failure<br/>+ Error Details
+    end
+    
+    SS-->>-GH: HTTP 200 Response
+    
+    Note over GH,TR: Scheduled Sync (Drift Prevention)
+    
+    SS->>SS: Cron Trigger<br/>(if configured)
+    SS->>+AR: Fetch All Configurations
+    AR-->>-SS: Return All Configs
+    SS->>+TR: Sync All Repositories<br/>(Prevent Drift)
+    TR-->>-SS: Confirm Sync
+    SS->>GH: Create Check Run<br/>(Sync Results)
+```
 
 ## How it works
 

index.js

@@ -624,6 +624,32 @@ module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) =>
     return syncSettings(false, context)
   })
 
+  robot.on('repository.archived', async context => {
+    const { payload } = context
+    const { sender } = payload
+
+    if (sender.type === 'Bot') {
+      robot.log.debug('Repository Archived by a Bot')
+      return
+    }
+    robot.log.debug('Repository Archived by a Human')
+
+    return syncSettings(false, context)
+  })
+
+  robot.on('repository.unarchived', async context => {
+    const { payload } = context
+    const { sender } = payload
+
+    if (sender.type === 'Bot') {
+      robot.log.debug('Repository Unarchived by a Bot')
+      return
+    }
+    robot.log.debug('Repository Unarchived by a Human')
+
+    return syncSettings(false, context)
+  })
+
   if (process.env.CRON) {
     /*
     # ┌────────────── second (optional)

lib/plugins/archive.js

@@ -1,86 +1,108 @@
-const NopCommand = require('../nopcommand');
-
-function returnValue(shouldContinue, nop) {
-  return { shouldContinue, nopCommands: nop };
-}
+const NopCommand = require('../nopcommand')
 
 module.exports = class Archive {
-  constructor(nop, github, repo, settings, log) {
-    this.github = github;
-    this.repo = repo;
-    this.settings = settings;
-    this.log = log;
-    this.nop = nop;
+  constructor (nop, github, repo, settings, log) {
+    this.github = github
+    this.repo = repo
+    this.settings = settings
+    this.log = log
+    this.nop = nop
   }
 
-  // Returns true if plugin application should continue, false otherwise
-  async sync() {
-    // Fetch repository details using REST API
-    const { data: repoDetails } = await this.github.repos.get({
+  async getRepo () {
+    try {
+      const { data } = await this.github.repos.get({
         owner: this.repo.owner,
         repo: this.repo.repo
-    });
-    if (typeof this.settings?.archived !== 'undefined') {
-      this.log.debug(`Checking if ${this.repo.owner}/${this.repo.repo} is archived`);
-      
-      this.log.debug(`Repo ${this.repo.owner}/${this.repo.repo} is ${repoDetails.archived ? 'archived' : 'not archived'}`);
-
-      if (repoDetails.archived) {
-        if (this.settings.archived) {
-          this.log.debug(`Repo ${this.repo.owner}/${this.repo.repo} already archived, inform other plugins should not run.`);
-          return returnValue(false);
-        } 
-        else {
-          this.log.debug(`Unarchiving ${this.repo.owner}/${this.repo.repo}`);
-          if (this.nop) {
-            return returnValue(true, [new NopCommand(this.constructor.name, this.repo, this.github.repos.update.endpoint(this.settings), 'will unarchive')]);
-          } 
-          else {
-            // Unarchive the repository using REST API
-            const updateResponse = await this.github.repos.update({
-              owner: this.repo.owner,
-              repo: this.repo.repo,
-              archived: false
-            });
-            this.log.debug(`Unarchive result ${JSON.stringify(updateResponse)}`);
-
-            return returnValue(true);
-          }
-        }
-      }
-      else {
-        if (this.settings.archived) {
-          this.log.debug(`Archiving ${this.repo.owner}/${this.repo.repo}`);
-          if (this.nop) {
-            return returnValue(false, [new NopCommand(this.constructor.name, this.repo, this.github.repos.update.endpoint(this.settings), 'will archive')]);
-          } 
-          else {
-            // Archive the repository using REST API
-            const updateResponse = await this.github.repos.update({
-              owner: this.repo.owner,
-              repo: this.repo.repo,
-              archived: true
-            });
-            this.log.debug(`Archive result ${JSON.stringify(updateResponse)}`);
-
-            return returnValue(false);
-          }
-        }
-        else {
-          this.log.debug(`Repo ${this.repo.owner}/${this.repo.repo} is not archived, ignoring.`);
-          return returnValue(true);
-        }
+      })
+      return data
+    } catch (error) {
+      if (error.status === 404 && !this.getDesiredArchiveState()) {
+        return null
       }
-    } 
-    else {
-        if (repoDetails.archived) {
-          this.log.debug(`Repo ${this.repo.owner}/${this.repo.repo} is archived, ignoring.`);
-          return returnValue(false);
-        }
-        else {
-            this.log.debug(`Repo ${this.repo.owner}/${this.repo.repo} is not archived, proceed as usual.`);
-            return returnValue(true);
-        }
+      throw error
     }
   }
-};
+
+  async updateRepoArchiveStatus (archived) {
+    const action = archived ? 'archive' : 'unarchive'
+
+    if (this.nop) {
+      const change = { msg: 'Change found', additions: {}, modifications: { archived: action }, deletions: {} }
+      return new NopCommand(
+        this.constructor.name,
+        this.repo,
+        this.github.repos.update.endpoint(this.settings),
+        change,
+        'INFO'
+      )
+    }
+
+    const { data } = await this.github.repos.update({
+      owner: this.repo.owner,
+      repo: this.repo.repo,
+      archived
+    })
+
+    this.log.debug({ result: data }, `Repo ${this.repo.owner}/${this.repo.repo} ${action}d`)
+  }
+
+  getDesiredArchiveState () {
+    if (typeof this.settings?.archived === 'undefined') {
+      return null
+    }
+    return typeof this.settings.archived === 'boolean'
+      ? this.settings.archived
+      : this.settings.archived === 'true'
+  }
+
+  shouldArchive (repository = this.repository) {
+    const desiredState = this.getDesiredArchiveState()
+    if (desiredState === null) return false
+    return !repository.archived && desiredState
+  }
+
+  shouldUnarchive (repository = this.repository) {
+    const desiredState = this.getDesiredArchiveState()
+    if (desiredState === null) return false
+    return repository.archived && !desiredState
+  }
+
+  isArchived () {
+    return this.repository?.archived
+  }
+
+  async getState () {
+    this.repository = await this.getRepo()
+
+    return {
+      isArchived: this.isArchived(),
+      shouldArchive: this.shouldArchive(),
+      shouldUnarchive: this.shouldUnarchive()
+    }
+  }
+
+  async sync () {
+    this.repository = await this.getRepo()
+
+    const results = []
+
+    if (!this.repository) {
+      this.log.warn(`Repo ${this.repo.owner}/${this.repo.repo} not found, skipping archive sync`)
+      return results
+    }
+
+    const shouldArchive = this.shouldArchive()
+    const shouldUnarchive = this.shouldUnarchive()
+
+    if (!shouldArchive && !shouldUnarchive) {
+      this.log.debug(`No archive changes needed for ${this.repo.owner}/${this.repo.repo}`)
+      return results
+    }
+
+    const archived = shouldArchive
+    results.push(await this.updateRepoArchiveStatus(archived))
+
+    return results
+  }
+}

lib/plugins/repository.js

@@ -36,7 +36,8 @@ const ignorableFields = [
   'org',
   'force_create',
   'auto_init',
-  'repo'
+  'repo',
+  'archived'
 ]
 
 module.exports = class Repository extends ErrorStash {