Sync settings to one or all of our managed repositories

Sync settings to one or all of our managed repositories #10

Workflow file for this run

	name: Sync settings to one or all of our managed repositories

	on:
	workflow_dispatch:
	inputs:
	repository:
	description: >
	Repository to synchronize. Leave empty to run this on every
	repo where the permutive-management GitHub App is installed
	required: false
	default: ""

	jobs:
	get-repositories:
	name: Create repo-matrix depending on whether the `repository` input is filled or not
	runs-on: ubuntu-latest
	outputs:
	repositories: ${{ steps.repositories.outputs.repositories }}
	steps:
	- name: Get the GitHub App installation token
	uses: alejandrohdezma/actions/github-app-token@v1
	id: github_app
	with:
	token: ${{ secrets.MANAGEMENT_APP_TOKEN }}

	- name: Select repositories to update
	id: repositories
	run: \|
	if [ "${{ github.event.inputs.repository }}" != "" ]; then
	echo "repositories=[\"permutive-engineering/${{ github.event.inputs.repository }}\"]" >> $GITHUB_OUTPUT
	else
	echo "repositories=$(gh api installation/repositories -q '.repositories \| map(.full_name)')" >> $GITHUB_OUTPUT
	fi
	env:
	GITHUB_TOKEN: ${{ steps.github_app.outputs.token }}

	sync:
	name: ${{ matrix.repo }} - Sync settings
	runs-on: ubuntu-latest
	needs: get-repositories
	strategy:
	fail-fast: false
	matrix:
	repo: ${{ fromJson(needs.get-repositories.outputs.repositories) }}
	steps:
	- name: Get the GitHub App installation token
	uses: alejandrohdezma/actions/github-app-token@v1
	id: github_app
	with:
	token: ${{ secrets.MANAGEMENT_APP_TOKEN }}

	- name: Sync settings to ${{ matrix.repo }}
	run: \|
	gh api --silent -X PATCH /repos/${{ matrix.repo }} --input - <<< '{
	"web_commit_signoff_required": true,
	"has_wiki": false,
	"has_projects": false,
	"has_discussions": false,
	"delete_branch_on_merge": true,
	"allow_update_branch": true,
	"allow_auto_merge": true,
	"allow_merge_commit": true,
	"allow_squash_merge": false,
	"allow_rebase_merge": false
	}'
	env:
	GITHUB_TOKEN: ${{ steps.github_app.outputs.token }}

	- name: Sync branch protection to ${{ matrix.repo }}
	run: \|
	default_branch=$(gh api /repos/${{ matrix.repo }} --jq '.default_branch')
	gh api --silent -X PUT "/repos/${{ matrix.repo }}/branches/$default_branch/protection" --input - <<< '{
	"required_status_checks": {
	"strict": true,
	"checks": [
	{
	"context": "Run \"sbt ci-test\" on JDK 17"
	},
	{
	"context": "Run \"sbt ci-test\" on JDK 11"
	}
	]
	},
	"required_pull_request_reviews": {
	"require_code_owner_reviews": true,
	"required_approving_review_count": 1,
	"dismiss_stale_reviews": false,
	"bypass_pull_request_allowances": {
	"users": ["permutive-ci"],
	"teams": ["developer-experience"]
	}
	},
	"enforce_admins": false,
	"required_conversation_resolution": true,
	"restrictions": null
	}'
	env:
	GITHUB_TOKEN: ${{ steps.github_app.outputs.token }}

	- name: Sync collaborators to ${{ matrix.repo }}
	run: \|
	gh api -X PUT /repos/${{ matrix.repo }}/collaborators/permutive-ci -f permission='admin'
	gh api -X PUT /orgs/permutive-engineering/teams/developer-experience/repos/${{ matrix.repo }} -f permission='admin'
	env:
	GITHUB_TOKEN: ${{ steps.github_app.outputs.token }}

	- name: Sync tag protection to ${{ matrix.repo }}
	run: \|
	has_protection=$(gh api /repos/${{ matrix.repo }}/tags/protection -q 'map(.pattern) \| . as $f \| "v*" \| IN($f[])')

	if [ "$has_protection" != "true" ]; then
	gh api -X POST /repos/${{ matrix.repo }}/tags/protection -f pattern='v*'
	fi
	env:
	GITHUB_TOKEN: ${{ steps.github_app.outputs.token }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Sync settings to one or all of our managed repositories #10

Workflow file

Sync settings to one or all of our managed repositories #10

Jobs

Run details

Workflow file for this run