feat: adopt safe-settings for repository configuration management#114
Draft
marcusburghardt wants to merge 4 commits into
Draft
feat: adopt safe-settings for repository configuration management#114marcusburghardt wants to merge 4 commits into
marcusburghardt wants to merge 4 commits into
Conversation
Define proposal, design, specs, and tasks for adopting github/safe-settings as a complementary tool to peribolos. safe-settings will manage repository settings (auto-merge, delete-branch-on-merge), branch protection rules, rulesets, and security configurations via GitOps. Peribolos continues to own org membership, team creation, and team-to-repo permissions. Signed-off-by: Marcus Burghardt <maburgha@redhat.com> Assisted-by: OpenCode (claude-opus-4-6)
Org-wide defaults, rulesets, and deployment config derived from auditing the current GitHub state of all complytime repos. Key decisions: - Code repos ruleset with 1 approver, stale review dismissal, code owner review, last push approval - Non-code repos ruleset with lighter protection (1 approver only) - complyctl override requiring 2 approvers - Override validator prevents lowering approver count below org default - .github repo excluded (manually managed, avoids circular dependency) - complyscribe and gemara-content-service excluded (archived/pending) Signed-off-by: Marcus Burghardt <maburgha@redhat.com> Assisted-by: OpenCode (claude-opus-4-6)
Align specs with implementation decisions: - required_signatures downgraded to SHOULD (deferred to follow-up) - required_review_thread_resolution set to false (matches current state) - Removed archived repos from spec and config repo lists Harden deployment and boundary specs: - Pinned commit SHA, workflow timeout, YAML pre-validation - Suborg/ruleset repo list synchronization requirement - Override validator falsy-0 bypass fix - Phases reordered: boundary tests before apply Signed-off-by: Marcus Burghardt <maburgha@redhat.com> Assisted-by: OpenCode (claude-opus-4-6)
Workflow (workflow_dispatch only, push/schedule added after validation): - Inputs: dry-run (default true), repos (optional comma-separated filter) - Generates scoped deployment-settings when repos is specified - YAML pre-validation, 15 min timeout, concurrency group Boundary tests (config/boundary_test.go): - Suborg repos exist in peribolos, no duplicate suborg membership - No cross-tool field overlap, suborg/ruleset repo list sync Makefile, docs, and spec updates: - safe-settings-validate target, extended lint, GOTOOLCHAIN=auto - MAINTAINING.md, README.md link, CODEOWNERS path rule - Specs updated for workflow_dispatch-only initial rollout Signed-off-by: Marcus Burghardt <maburgha@redhat.com> Assisted-by: OpenCode (claude-opus-4-6)
Contributor
Author
|
@sonupreetam it would be great to have your eyes on this PR since you also researched about alternative solutions. WDYT? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adopt github/safe-settings as a
complementary tool to peribolos for managing the complytime GitHub org.
Peribolos continues to own org membership, teams, and team-repo permissions.
Safe-settings manages repository settings, rulesets, branch protection, and
security configurations via GitOps.
Includes: OpenSpec change proposal (design, 7 specs, phased tasks),
safe-settings YAML configuration (derived from auditing all repos),
GitHub Actions workflow (workflow_dispatch only with dry-run and repo
targeting), boundary tests (config/boundary_test.go), MAINTAINING.md,
and Makefile targets.
Related Issues
openspec/changes/adopt-safe-settings/Review Hints
Review commits in sequence — each builds on the previous:
docs:— spec proposal (design decisions, specs, tasks)feat:— safe-settings YAML config (settings, rulesets, suborgs)fix:— spec review findings (alignment fixes)feat:— implementation (workflow, tests, docs, Makefile)The workflow uses
workflow_dispatchonly (no push/schedule triggers).After merge, test with: Actions > "Safe Settings Sync" > Run workflow >
dry-run=true,repos=complytime-demos.Boundary tests validate cross-tool consistency locally:
make test-unit(no credentials needed).Prerequisites already completed: GitHub App registered (ID: 3796583),
credentials stored, "verifiy" ruleset renamed to "verify".
Full local validation:
make sanity