Merge branch 'main-enterprise' into fix-nop-envs

.eslintrc.json

@@ -8,9 +8,16 @@
         "standard"
     ],
     "parserOptions": {
-        "ecmaVersion": 12
+        "ecmaVersion": 13
     },
     "rules": {
     },
-    "ignorePatterns": ["test/**/*.js"]
+    "overrides": [
+        {
+            "files": ["test/**/*.js"],
+            "env": {
+                "jest": true
+            }
+        }
+    ]
 }

.github/workflows/create-pre-release.yml

@@ -31,6 +31,10 @@ env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
 
+permissions:
+  contents: write
+  packages: write
+
 jobs:
   build:
     if: ${{ github.actor != 'dependabot'}}
@@ -46,15 +50,15 @@ jobs:
           cache: 'npm'
       - run: npm install
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5
       - name: Log in to the Container registry
-        uses: docker/login-action@v3 
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image Locally
-        uses: docker/build-push-action@master
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355
         with:
           context: .
           file: ./Dockerfile
@@ -73,15 +77,15 @@ jobs:
       - run: echo "${{ github.ref }}"
       - name: Tag a final release 
         id: prerelease
-        uses: actionsdesk/semver@0.6.0-rc.10
+        uses: actionsdesk/semver@82aa4310e4e21c59cd0020007a4278e733e81dcb
         with:
           bump: ${{ inputs.bump }}
           prerelease: ${{ inputs.prerelease }}
           prelabel: ${{ inputs.prelabel }}
           commitish: ${{ github.ref }}
       - name: Push Docker Image
         if: ${{ success() }}
-        uses: docker/build-push-action@master
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355
         with:
           context: .
           file: ./Dockerfile

.github/workflows/create-release.yml

@@ -9,6 +9,10 @@ env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
 
+permissions:
+  contents: write
+  packages: write
+
 jobs:
   build:
     if: ${{ github.actor != 'dependabot'}}
@@ -24,15 +28,15 @@ jobs:
           cache: "npm"
       - run: npm install
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5
       - name: Log in to the Container registry
-        uses: docker/login-action@v3 
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image Locally
-        uses: docker/build-push-action@master
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355
         with:
           context: .
           file: ./Dockerfile
@@ -50,12 +54,12 @@ jobs:
           curl http://localhost:3000
       - name: Tag a final release
         id: finalrelease
-        uses: actionsdesk/semver@0.6.0-rc.10
+        uses: actionsdesk/semver@82aa4310e4e21c59cd0020007a4278e733e81dcb
         with:
           bump: final
       - name: Push Docker Image
         if: ${{ success() }}
-        uses: docker/build-push-action@master
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355
         with:
           context: .
           file: ./Dockerfile

.github/workflows/deploy-k8s.yml

@@ -29,35 +29,35 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
-      - uses: azure/login@v1
+      - uses: azure/login@a65d910e8af852a8061c627c456678983e180302
         with:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} 
-      - uses: azure/aks-set-context@v3
+      - uses: azure/aks-set-context@feeca6405be94202afcb1c395616ff29b1811b9f
         with:
           resource-group: ${{env.AZURE_RESOURCE_GROUP}}
           cluster-name: ${{env.AZURE_AKS_CLUSTER}}
         id: login
       - run: |
           kubectl get deployment
       - name: app-env
-        uses: azure/k8s-create-secret@v4
+        uses: azure/k8s-create-secret@6e0ba8047235646753f2a3a3b359b4d0006ff218
         with:
           namespace: 'default'
           secret-type: 'generic'
           arguments:  --from-literal=APP_ID=${{ secrets.APP_ID }} --from-literal=PRIVATE_KEY=${{ secrets.PRIVATE_KEY }} --from-literal=WEBHOOK_SECRET=${{ secrets.WEBHOOK_SECRET }}
           secret-name: app-env
       - name: Set imagePullSecret
-        uses: azure/k8s-create-secret@v4
+        uses: azure/k8s-create-secret@6e0ba8047235646753f2a3a3b359b4d0006ff218
         with:
           namespace: ${{env.AZURE_AKS_NAMESPACE}}
           container-registry-url: ${{env.IMAGE_REGISTRY_URL}}
           container-registry-username: ${{ secrets.DOCKER_USERNAME }}
           container-registry-password: ${{ secrets.DOCKER_PASSWORD }}
           secret-name: 'image-pull-secret'
         id: create-secret
-      - uses: Azure/k8s-deploy@v4.10
+      - uses: Azure/k8s-deploy@v5
         with:
           namespace: ${{env.AZURE_AKS_NAMESPACE}}
           manifests: |

.github/workflows/node-ci.yml

@@ -2,6 +2,9 @@ name: Node.js CI
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true

.github/workflows/rc-release.yml

@@ -35,7 +35,7 @@ jobs:
     - name: Tag a rc release 
       if: ${{ !github.event.pull_request.head.repo.fork }}
       id: rcrelease
-      uses: actionsdesk/semver@0.6.0-rc.10
+      uses: actionsdesk/semver@82aa4310e4e21c59cd0020007a4278e733e81dcb
       with:
         prerelease: withBuildNumber
         prelabel: rc
@@ -60,23 +60,23 @@ jobs:
       - run: echo ${{ github.actor }}
 
       - name: Log in to the Container registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Extract metadata
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96
         with:
           images: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5
       - name: Build and push Docker image
-        uses: docker/build-push-action@master
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355
         with:
           context: .
           push: true

README.md

@@ -32,8 +32,12 @@
 >
 > Settings files must have a `.yml` extension only. For now, the `.yaml` extension is ignored.
 
+
 ## How it works
 
+`Safe-settings` is designed to run as a service listening for webhook events or as a scheduled job running on some regular cadence. It can also be triggered through GitHub Actions. (See the [How to use](#how-to-use) section for details on deploying and configuring.)
+
+
 ### Events
 The App listens to the following webhook events:
 
@@ -286,7 +290,21 @@ The following can be configured:
 - `Rulesets`
 - `Environments` - wait timer, required reviewers, prevent self review, protected branches deployment branch policy, custom deployment branch policy, variables, deployment protection rules
 
-It is possible to provide an `include` or `exclude` settings to restrict the `collaborators`, `teams`, `labels` to a list of repos or exclude a set of repos for a collaborator.
+> [!important]
+> It is possible to provide an `include` or `exclude` settings to restrict the `collaborators`, `teams`, `labels` to a list of repos or exclude a set of repos for a collaborator. 
+> The include/exclude pattern can also be for glob. For e.g.:
+```
+teams:
+  - name: Myteam-admins
+    permission: admin
+  - name: Myteam-developers
+    permission: push
+  - name: Other-team
+    permission: push
+    include:
+      - '*-config'
+```
+> Will only add `Other-team` to only `*-config` repos
 
 See [`docs/sample-settings/settings.yml`](docs/sample-settings/settings.yml) for a sample settings file.
 
@@ -364,11 +382,13 @@ You can pass environment variables; the easiest way to do it is via a `.env` fil
 
 ## How to use
 
-1. __[Deploy and install the app](docs/deploy.md)__.
+1. Create an `admin` repo (or an alternative of your choosing) within your organization. Remember to set `ADMIN_REPO` if you choose something other than `admin`. See [Environment variables](#environment-variables) for more details.
+
+2. Add the settings for the `org`, `suborgs`, and `repos`. Sample files can be found [here](docs/sample-settings).
+
+3. __[Deploy and install the app](docs/deploy.md)__.  Alternatively, the __[GitHub Actions Guide](docs/github-action.md)__ describes how to run `safe-settings` with GitHub Actions.
 
-2. Create an `admin` repo (or an alternative of your choosing) within your organization. Remember to set `CONFIG_REPO` if you choose something other than `admin`. See [Environment variables](#environment-variables) for more details.
 
-3. Add the settings for the `org`, `suborgs`, and `repos`. Sample files can be found [here](docs/sample-settings).
 
 
 ## License

docs/github-action.md

@@ -0,0 +1,57 @@
+# Running Safe-settings with GitHub Actions (GHA)
+
+This guide describes how to schedule a full safe-settings sync using GitHub Actions. This assumes that an `admin` repository has been configured with your `safe-settings` configuration. Refer to the [How to Use](../README.md#how-to-use) docs for more details on that process.
+
+
+## GitHub App Creation
+Follow the [Create the GitHub App](deploy.md#create-the-github-app) guide to create an App in your GitHub account. This will allow `safe-settings` to access and modify your repos.
+
+
+## Defining the GitHub Action Workflow
+Running a full-sync with `safe-settings` can be done via `npm run full-sync`. This requires installing Node, such as with [actions/setup-node](https://github.com/actions/setup-node) (see example below). When doing so, the appropriate environment variables must be set (see the [Environment variables](#environment-variables) document for more details).
+
+
+### Example GHA Workflow
+The below example uses the GHA "cron" feature to run a full-sync every 4 hours. While not required, this example uses the `.github` repo as the `admin` repo (set via `ADMIN_REPO` env var) and the safe-settings configurations are stored in the `safe-settings/` directory (set via `CONFIG_PATH` and `DEPLOYMENT_CONFIG_FILE`).
+
+```yaml
+name: Safe Settings Sync
+on:
+  schedule:
+    - cron: "0 */4 * * *"
+  workflow_dispatch: {}
+
+jobs:
+  safeSettingsSync:
+    runs-on: ubuntu-latest
+    env:
+      # Version/tag of github/safe-settings repo to use:
+      SAFE_SETTINGS_VERSION: 2.1.13
+
+      # Path on GHA runner box where safe-settings code downloaded to:
+      SAFE_SETTINGS_CODE_DIR: ${{ github.workspace }}/.safe-settings-code
+    steps:
+      # Self-checkout of 'admin' repo for access to safe-settings config:
+      - uses: actions/checkout@v4
+
+      # Checkout of safe-settings repo for running full sync:
+      - uses: actions/checkout@v4
+        with:
+          repository: github/safe-settings
+          ref: $SAFE_SETTINGS_VERSION
+          path: $SAFE_SETTINGS_CODE_DIR
+      - uses: actions/setup-node@v4
+      - run: npm install
+        working-directory: $SAFE_SETTINGS_CODE_DIR
+      - run: npm run full-sync
+        working-directory: $SAFE_SETTINGS_CODE_DIR
+        env:
+          GH_ORG: ${{ vars.SAFE_SETTINGS_GH_ORG }}
+          APP_ID: ${{ vars.SAFE_SETTINGS_APP_ID }}
+          PRIVATE_KEY: ${{ secrets.SAFE_SETTINGS_PRIVATE_KEY }}
+          GITHUB_CLIENT_ID: ${{ vars.SAFE_SETTINGS_GITHUB_CLIENT_ID }}
+          GITHUB_CLIENT_SECRET: ${{ secrets.SAFE_SETTINGS_GITHUB_CLIENT_SECRET }}
+          ADMIN_REPO: .github
+          CONFIG_PATH: safe-settings
+          DEPLOYMENT_CONFIG_FILE: ${{ github.workspace }}/safe-settings/deployment-settings.yml
+```

full-sync.js

@@ -0,0 +1,19 @@
+const { createProbot } = require('probot')
+const appFn = require('./')
+
+const probot = createProbot()
+probot.log.info('Starting full sync.')
+const app = appFn(probot, {})
+app.syncInstallation()
+  .then(settings => {
+    if (settings.errors.length > 0) {
+      probot.log.error('Errors occurred during full sync.')
+      process.exit(1)
+    } else {
+      probot.log.info('Done with full sync.')
+    }
+  })
+  .catch(error => {
+    process.stdout.write(`Unexpected error during full sync: ${error}\n`)
+    process.exit(1)
+  })