upgrade@14524846595

Author: galargh

.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "npm"
+    directory: "/scripts/"
+    schedule:
+      interval: "weekly"

.github/workflows/apply.yml

@@ -67,7 +67,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
       - name: Setup terraform
-        uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
         with:
           terraform_version: 1.2.9
           terraform_wrapper: false

.github/workflows/clean.yml

@@ -71,7 +71,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
       - name: Setup terraform
-        uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
         with:
           terraform_version: 1.2.9
           terraform_wrapper: false

.github/workflows/fix.yml

@@ -93,7 +93,7 @@ jobs:
           git fetch origin "pull/${NUMBER}/head"
           rm -rf github && git checkout "${SHA}" -- github
       - name: Setup terraform
-        uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
         with:
           terraform_version: 1.2.9
           terraform_wrapper: false
@@ -117,7 +117,7 @@ jobs:
       # NOTE(galargh, 2024-02-15): This will only work if GitHub as Code is used for a single organization
       - name: Comment on pull request
         if: github.event_name == 'pull_request_target' && steps.fix.outputs.comment
-        uses: marocchino/sticky-pull-request-comment@fcf6fe9e4a0409cd9316a5011435be0f3327f1e1 # v2.3.1
+        uses: marocchino/sticky-pull-request-comment@67d0dec7b07ed060a405f9b2a64b8ab319fdd7db # v2.9.2
         with:
           header: fix
           number: ${{ github.event.pull_request.number }}
@@ -135,10 +135,11 @@ jobs:
     steps:
       - name: Generate app token
         id: token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
         with:
           app_id: ${{ secrets.RW_GITHUB_APP_ID }}
-          installation_id: ${{ secrets[format('RW_GITHUB_APP_INSTALLATION_ID_{0}', github.repository_owner)] || secrets.RW_GITHUB_APP_INSTALLATION_ID }}
+          installation_retrieval_mode: id
+          installation_retrieval_payload: ${{ secrets[format('RW_GITHUB_APP_INSTALLATION_ID_{0}', github.repository_owner)] || secrets.RW_GITHUB_APP_INSTALLATION_ID }}
           private_key: ${{ secrets.RW_GITHUB_APP_PEM_FILE }}
       - name: Checkout
         uses: actions/checkout@v4

.github/workflows/plan.yml

@@ -80,7 +80,7 @@ jobs:
           git fetch origin "pull/${NUMBER}/head"
           rm -rf github && git checkout "${SHA}" -- github
       - name: Setup terraform
-        uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
         with:
           terraform_version: 1.2.9
           terraform_wrapper: false
@@ -122,7 +122,7 @@ jobs:
           git fetch origin "pull/${NUMBER}/head"
           rm -rf github && git checkout "${SHA}" -- github
       - name: Setup terraform
-        uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
         with:
           terraform_version: 1.2.9
           terraform_wrapper: false
@@ -157,7 +157,7 @@ jobs:
           echo 'EOF' >> $GITHUB_ENV
         working-directory: terraform
       - name: Comment on pull request
-        uses: marocchino/sticky-pull-request-comment@fcf6fe9e4a0409cd9316a5011435be0f3327f1e1 # v2.3.1
+        uses: marocchino/sticky-pull-request-comment@67d0dec7b07ed060a405f9b2a64b8ab319fdd7db # v2.9.2
         with:
           header: plan
           number: ${{ github.event.pull_request.number }}

.github/workflows/sync.yml

@@ -65,7 +65,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
       - name: Setup terraform
-        uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
         with:
           terraform_version: 1.2.9
           terraform_wrapper: false
@@ -107,10 +107,11 @@ jobs:
     steps:
       - name: Generate app token
         id: token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
         with:
           app_id: ${{ secrets.RW_GITHUB_APP_ID }}
-          installation_id: ${{ secrets[format('RW_GITHUB_APP_INSTALLATION_ID_{0}', github.repository_owner)] || secrets.RW_GITHUB_APP_INSTALLATION_ID }}
+          installation_retrieval_mode: id
+          installation_retrieval_payload: ${{ secrets[format('RW_GITHUB_APP_INSTALLATION_ID_{0}', github.repository_owner)] || secrets.RW_GITHUB_APP_INSTALLATION_ID }}
           private_key: ${{ secrets.RW_GITHUB_APP_PEM_FILE }}
       - name: Checkout
         uses: actions/checkout@v4

CHANGELOG.md

@@ -6,6 +6,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 ### Added
+- shared action for adding a collaborator to all repositories
 - clean workflow which removes resources from state
 - information on how to handle private GitHub Management repository
 - warning about GitHub Management repository access
@@ -22,6 +23,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - new args for repositories and branch protection rules
 
 ### Changed
+- **BREAKING**: turned scripts into an ESM project (please ensure you remove the following files during the upgrade: `scripts/.eslintignore`, `scripts/.eslintrc.json`, `scripts/jest.config.js`, `jest.d.ts`, `jest.setup.ts`; please update your imports in the `scripts/src/actions/fix-yaml-config.ts` file to include the `.js` extension)
+- **BREAKING**: Updated the signatures of all the shared actions; now the runAction function will persist the changes to disk while action functions will operate on the in-memory state (please update your imports in the `scripts/src/actions/fix-yaml-config.ts` file accordingly)
 - Synchronization script: to use GitHub API directly instead of relying on TF GH Provider's Data Sources
 - Configuration: replaced multiple JSONs with a single, unified YAML
 - Synchronization script: rewrote the script in JS
@@ -46,6 +49,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - updated upload and download artifacts actions to v4
 
 ### Fixed
+- fixed how terraform state is accessed before it the initial synchronization
 - links to supported resources in HOWTOs
 - posting PR comments when terraform plan output is very long
 - PR parsing in the update workflow

docs/HOWTOS.md

@@ -118,7 +118,7 @@ I want to ensure that all the public repositories in my organization have their
 To do that, I ensure the following content is present in `scripts/src/actions/fix-yaml-config.ts`:
 ```ts
 import 'reflect-metadata'
-import { protectDefaultBranches } from './shared/protect-default-branches'
+import { runProtectDefaultBranches } from './shared/protect-default-branches'
 
-protectDefaultBranches()
+runProtectDefaultBranches()
 ```

docs/SETUP.md

@@ -143,6 +143,8 @@
     - [ ] Rename the `$GITHUB_ORGANIZATION_NAME.yml` in `github` to the name of the GitHub organization
 - [ ] Push the changes to `$GITHUB_MGMT_REPOSITORY_DEFAULT_BRANCH`
 
+> [!WARNING] Please note that until you [synchronize GitHub Management with GitHub](#github-management-sync-flow) for the first time, the workflows that depend on Terraform state, like `Fix`, `Plan` or `Apply`, will fail. This is because the state is not yet initialized.
+
 ## GitHub Management Sync Flow
 
 - [ ] Follow [How to synchronize GitHub Management with GitHub?](HOWTOS.md#synchronize-github-management-with-github) to commit the terraform lock and initialize terraform state

github/.schema.json

@@ -27,6 +27,9 @@
           "additionalProperties": {
             "additionalProperties": false,
             "properties": {
+              "advanced_security": {
+                "type": "boolean"
+              },
               "allow_auto_merge": {
                 "type": "boolean"
               },
@@ -39,6 +42,9 @@
               "allow_squash_merge": {
                 "type": "boolean"
               },
+              "allow_update_branch": {
+                "type": "boolean"
+              },
               "archive_on_destroy": {
                 "type": "boolean"
               },
@@ -108,6 +114,9 @@
               "gitignore_template": {
                 "type": "string"
               },
+              "has_discussions": {
+                "type": "boolean"
+              },
               "has_downloads": {
                 "type": "boolean"
               },
@@ -129,9 +138,21 @@
               "is_template": {
                 "type": "boolean"
               },
+              "labels": {
+                "additionalProperties": {
+                  "$ref": "#/definitions/RepositoryLabel"
+                },
+                "type": "object"
+              },
               "license_template": {
                 "type": "string"
               },
+              "merge_commit_message": {
+                "type": "string"
+              },
+              "merge_commit_title": {
+                "type": "string"
+              },
               "pages": {
                 "additionalProperties": false,
                 "properties": {
@@ -153,6 +174,18 @@
                 },
                 "type": "object"
               },
+              "secret_scanning": {
+                "type": "boolean"
+              },
+              "secret_scanning_push_protection": {
+                "type": "boolean"
+              },
+              "squash_merge_commit_message": {
+                "type": "string"
+              },
+              "squash_merge_commit_title": {
+                "type": "string"
+              },
               "teams": {
                 "additionalProperties": false,
                 "properties": {
@@ -276,9 +309,15 @@
         "allows_force_pushes": {
           "type": "boolean"
         },
+        "blocks_creations": {
+          "type": "boolean"
+        },
         "enforce_admins": {
           "type": "boolean"
         },
+        "lock_branch": {
+          "type": "boolean"
+        },
         "push_restrictions": {
           "items": {
             "type": "string"
@@ -354,6 +393,18 @@
       },
       "type": "object"
     },
+    "RepositoryLabel": {
+      "additionalProperties": false,
+      "properties": {
+        "color": {
+          "type": "string"
+        },
+        "description": {
+          "type": "string"
+        }
+      },
+      "type": "object"
+    },
     "Visibility": {
       "enum": [
         "private",