feat: update org-settings and repo-settings to include more things#3
Merged
bitwise-fast-forward-merge[bot] merged 6 commits intoJun 29, 2026
Conversation
dmccaffery
commented
Jun 29, 2026
dmccaffery
commented
Collaborator
- include default maintainer team management
- include GitHub Pages configuration
- include pull-request collaborators-only
- update all workflows
The creation/update restriction excluded Dependabot via the ref pattern refs/heads/dependabot/**, but GitHub evaluates ruleset ref_name patterns with fnmatch + FNM_PATHNAME, where a trailing ** behaves like * and does not cross / boundaries. Real Dependabot branches are nested (e.g. dependabot/go_modules/tools/github.com/containerd/containerd/v2-2.1.4), so they were never excluded and branch creation was blocked with "Cannot create ref due to creations being restricted." Use refs/heads/dependabot/**/* so ** matches the leading segments and the trailing * matches the final segment across the whole nested path. Signed-off-by: Deavon M. McCaffery <dmccaffery@users.noreply.github.com>
Bump every org reusable-workflow pin from v1.1.0 to v3.2.1 (5a07255), crossing the v2 and v3 breaking releases and adopting the current caller suite. v2: auto-merge.yaml is removed and folded into merge.yaml, which now triggers on issue_comment + workflow_run + schedule and no longer takes a pr-number input. v3: merge.yaml drops its pull_request(labeled)/pull_request_review triggers and gains the required merge-review-ack.yaml companion (listed in its workflow_run); dependabot-merge.yaml drops pull_request_target and is workflow_run-only. Convert the inline codeql.yaml to a security.yaml caller (the v2 rename); the gating check is renamed "CodeQL analysis" -> "Security Analysis" and updated in the merge/dependabot workflow_run lists. public-code-quality gates on the "CodeQL" tool, not the workflow name, so the required code-scanning check is unaffected. Convert the inline release-please.yaml to a release.yaml caller; v3.2.1 dropped the make build step, so a config-only repo with no .goreleaser.yaml gets a clean release-please-only cut. release-please still authors with GITHUB_TOKEN (verified commits satisfy required_signatures); vanity-tags stays default-false. Signed-off-by: Deavon M. McCaffery <dmccaffery@users.noreply.github.com>
Add two repo settings to export/import: - pull_request_creation_policy (all | collaborators_only): the 'Pull request permissions > Creation allowed by' setting, via the settings filter. settings.json selects collaborators_only. - Pages 'Build and deployment > Source' via pages.json: build_type (workflow = GitHub Actions, legacy = deploy from a branch) plus source branch/path for branch deploys. Applied, not mirrored: import creates Pages when off and updates when on, never disables. pages.json selects GitHub Actions (build_type: workflow). Signed-off-by: Deavon M. McCaffery <dmccaffery@users.noreply.github.com>
Signed-off-by: Deavon M. McCaffery <dmccaffery@users.noreply.github.com>
Signed-off-by: Deavon M. McCaffery <dmccaffery@users.noreply.github.com>
Bump all six reusable-workflow pins from v3.2.1 (5a07255) to v4.0.0 (4a154ff). Five of the six reusable workflows are byte-identical to v3.2.1; the only behaviour change is in release.yaml. v4 adds a docs job (Zensical -> GitHub Pages) to the reusable release workflow. GitHub validates a reusable workflow's permissions as the union of every job and ignores `if:`, so the release caller must now grant the docs job's pages:write + id-token:write (and the goreleaser/publish jobs' attestations:write + artifact-metadata:write, previously omitted) or the run fails at startup -- even though all of those jobs are skipped here (no .goreleaser.yaml, no zensical.toml). The permissions block is only a ceiling: each reusable job narrows to its own declared scopes, so release-please, the only job that runs here, still gets just contents/issues/pull-requests. Signed-off-by: Deavon M. McCaffery <dmccaffery@users.noreply.github.com>
Contributor
|
Note Merging this PR: this repository merges by fast-forward so every The branch must be up to date with |
tiffanywang3
approved these changes
Jun 29, 2026
Collaborator
Author
|
/merge |
Contributor
|
Fast-forwarded |
bitwise-fast-forward-merge
Bot
merged commit e12f5c8
into
bitwise-media-group:main
7 checks passed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.