forked from github/safe-settings
-
Notifications
You must be signed in to change notification settings - Fork 0
/
settings.yml
399 lines (350 loc) · 15.1 KB
/
settings.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
# This settings file can be used to create org-level settings
# This is the settings that need to be applied to all repositories in the org
# See https://docs.github.com/en/rest/repos/repos?apiVersion=2022-11-28#create-an-organization-repository for all available settings for a repository
repository:
# A short description of the repository that will show up on GitHub
description: description of the repo
# A URL with more information about the repository
homepage: https://example.github.io/
# Create an initial commit with empty README.
# Keep this set to true in most cases since many of the policies below cannot be implemented on bare repos
auto_init: true
# A list of topics to set on the repository - can alternatively set like this: [github, probot, new-topic, another-topic, topic-12]
topics:
- new-topic
- another-topic
# Settings for Code security and analysis
# Dependabot Alerts
security:
enableVulnerabilityAlerts: true
enableAutomatedSecurityFixes: true
# Either `true` to make the repository private, or `false` to make it public.
# If this value is changed and if org members cannot change the visibility of repos
# it would result in an error when updating a repo
private: true
# Can be public or private. If your organization is associated with an enterprise account using
# GitHub Enterprise Cloud or GitHub Enterprise Server 2.20+, visibility can also be internal.
visibility: private
# Either `true` to enable issues for this repository, `false` to disable them.
has_issues: true
# Either `true` to enable projects for this repository, or `false` to disable them.
# If projects are disabled for the organization, passing `true` will cause an API error.
has_projects: true
# Either `true` to enable the wiki for this repository, `false` to disable it.
has_wiki: true
# The default branch for this repository.
default_branch: main
# Desired language or platform [.gitignore template](https://github.com/github/gitignore)
# to apply. Use the name of the template without the extension.
# For example, "Haskell".
gitignore_template: node
# Choose an [open source license template](https://choosealicense.com/)
# that best suits your needs, and then use the
# [license keyword](https://help.github.com/articles/licensing-a-repository/#searching-github-by-license-type)
# as the `license_template` string. For example, "mit" or "mpl-2.0".
license_template: mit
# Either `true` to allow squash-merging pull requests, or `false` to prevent
# squash-merging.
allow_squash_merge: true
# Either `true` to allow merging pull requests with a merge commit, or `false`
# to prevent merging pull requests with merge commits.
allow_merge_commit: true
# Either `true` to allow rebase-merging pull requests, or `false` to prevent
# rebase-merging.
allow_rebase_merge: true
# Either `true` to allow auto-merge on pull requests,
# or `false` to disallow auto-merge.
# Default: `false`
allow_auto_merge: true
# Either `true` to allow automatically deleting head branches
# when pull requests are merged, or `false` to prevent automatic deletion.
# Default: `false`
delete_branch_on_merge: true
# Either `true` to allow update branch on pull requests,
# or `false` to disallow update branch.
# Default: `false`
allow_update_branch: true
# Whether to archive this repository. false will unarchive a previously archived repository.
archived: false
# The following attributes are applied to any repo within the org
# So if a repo is not listed above is created or edited
# The app will apply the following settings to it
labels:
# Labels: define labels for Issues and Pull Requests
include:
- name: bug
color: CC0000
description: An issue with the system
- name: feature
# If including a `#`, make sure to wrap it with quotes!
color: "#336699"
description: New functionality.
- name: first-timers-only
# include the old name to rename an existing label
oldname: Help Wanted
color: "#326699"
- name: new-label
# include the old name to rename an existing label
oldname: Help Wanted
color: "#326699"
exclude:
# don't delete any labels created on GitHub that starts with "release"
- name: ^release
# Milestones: define milestones for Issues and Pull Requests
milestones:
- title: milestone-title
description: milestone-description
# The state of the milestone. Either `open` or `closed`
state: open
# Collaborators: give specific users access to any repository.
# See https://docs.github.com/en/rest/collaborators/collaborators?apiVersion=2022-11-28#add-a-repository-collaborator for available options
collaborators:
- username: regpaco
# The permission to grant the collaborator. Can be one of:
# * `pull` - can pull, but not push to or administer this repository.
# * `push` - can pull and push, but not administer this repository.
# * `admin` - can pull, push and administer this repository.
permission: push
- username: beetlejuice
permission: pull
# You can exclude a list of repos for this collaborator and all repos except these repos would have this collaborator
exclude:
- actions-demo
- username: thor
permission: push
# You can include a list of repos for this collaborator and only those repos would have this collaborator
include:
- actions-demo
- another-repo
# Teams
# See https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#create-a-team for available options
teams:
- name: core
# The permission to grant the team. Can be one of:
# * `pull` - can pull, but not push to or administer this repository.
# * `push` - can pull and push, but not administer this repository.
# * `admin` - can pull, push and administer this repository.
permission: admin
- name: docss
permission: push
- name: docs
permission: pull
# Visibility is only honored when the team is created not for existing teams.
# It can be either secret (default) or closed (visible to all members of the org)
- name: globalteam
permission: push
visibility: closed
# Branch protection rules
# See https://docs.github.com/en/rest/branches/branch-protection?apiVersion=2022-11-28#update-branch-protection for available options
branches:
# If the name of the branch value is specified as `default`, then the app will create a branch protection rule to apply against the default branch in the repo
- name: default
protection:
# Required. Require at least one approving review on a pull request, before merging. Set to null to disable.
required_pull_request_reviews:
# The number of approvals required. (1-6)
required_approving_review_count: 1
# Dismiss approved reviews automatically when a new commit is pushed.
dismiss_stale_reviews: true
# Blocks merge until code owners have reviewed.
require_code_owner_reviews: true
# Whether the most recent reviewable push must be approved by someone other than the person who pushed it.
require_last_push_approval: true
# Allow specific users, teams, or apps to bypass pull request requirements. Set to null to disable.
bypass_pull_request_allowances:
apps: []
users: []
teams: []
# Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories.
dismissal_restrictions:
users: []
teams: []
# Required. Require status checks to pass before merging. Set to null to disable
required_status_checks:
# Required. Require branches to be up to date before merging.
strict: true
# Required. The list of status checks to require in order to merge into this branch
contexts: []
# Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable.
enforce_admins: true
# Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable.
restrictions:
apps: []
users: []
teams: []
# Custom properties
# See https://docs.github.com/en/rest/repos/custom-properties?apiVersion=2022-11-28
custom_properties:
- name: test
value: test
# See the docs (https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/configuring-autolinks-to-reference-external-resources) for a description of autolinks and replacement values.
autolinks:
- key_prefix: "JIRA-"
url_template: "https://jira.github.com/browse/JIRA-<num>"
is_alphanumeric: false
- key_prefix: "MYLINK-"
url_template: "https://mywebsite.com/<num>"
# Repository name validation
validator:
#pattern: '[a-zA-Z0-9_-]+_[a-zA-Z0-9_-]+.*'
pattern: "[a-zA-Z0-9_-]+"
# Rulesets
# See https://docs.github.com/en/rest/orgs/rules?apiVersion=2022-11-28#create-an-organization-repository-rulesetfor available options
rulesets:
- name: Template
# The target of the ruleset. Can be one of:
# - branch
# - tag
target: branch
# The enforcement level of the ruleset. `evaluate` allows admins to test
# rules before enforcing them.
# - disabled
# - active
# - evaluate
enforcement: active
# The actors that can bypass the rules in this ruleset
bypass_actors:
- actor_id: number
# type: The type of actor that can bypass a ruleset
# - RepositoryRole
# - Team
# - Integration
# - OrganizationAdmin
actor_type: Team
# When the specified actor can bypass the ruleset. `pull_request`
# means that an actor can only bypass rules on pull requests.
# - always
# - pull_request
bypass_mode: pull_request
- actor_id: 1
actor_type: OrganizationAdmin
bypass_mode: always
- actor_id: 7898
actor_type: RepositoryRole
bypass_mode: always
- actor_id: 210920
actor_type: Integration
bypass_mode: always
conditions:
# Parameters for a repository ruleset ref name condition
ref_name:
# Array of ref names or patterns to include. One of these
# patterns must match for the condition to pass. Also accepts
# `~DEFAULT_BRANCH` to include the default branch or `~ALL` to
# include all branches.
include: ["~DEFAULT_BRANCH"]
# Array of ref names or patterns to exclude. The condition
# will not pass if any of these patterns match.
exclude: ["refs/heads/oldmaster"]
# This condition only exists at the org level (remove for suborg and repo level rulesets)
repository_name:
# Array of repository names or patterns to include.
# One of these patterns must match for the condition
# to pass. Also accepts `~ALL` to include all
# repositories.
include: ["test*"]
# Array of repository names or patterns to exclude. The
# condition will not pass if any of these patterns
# match.
exclude: ["test", "test1"]
# Whether renaming of target repositories is
# prevented.
protected: true
# Refer to https://docs.github.com/en/rest/orgs/rules#create-an-organization-repository-ruleset
rules:
- type: creation
- type: update
parameters:
# Branch can pull changes from its upstream repository
update_allows_fetch_and_merge: true
- type: deletion
- type: required_linear_history
- type: required_signatures
- type: required_deployments
parameters:
required_deployment_environments: ["staging"]
- type: pull_request
parameters:
# Reviewable commits pushed will dismiss previous pull
# request review approvals.
dismiss_stale_reviews_on_push: true
# Require an approving review in pull requests that modify
# files that have a designated code owner
require_code_owner_review: true
# Whether the most recent reviewable push must be approved
# by someone other than the person who pushed it.
require_last_push_approval: true
# The number of approving reviews that are required before a
# pull request can be merged.
required_approving_review_count: 1
# All conversations on code must be resolved before a pull
# request can be merged.
required_review_thread_resolution: true
# Choose which status checks must pass before branches can be merged
# into a branch that matches this rule. When enabled, commits must
# first be pushed to another branch, then merged or pushed directly
# to a branch that matches this rule after status checks have
# passed.
- type: required_status_checks
parameters:
# Whether pull requests targeting a matching branch must be
# tested with the latest code. This setting will not take
# effect unless at least one status check is enabled.
strict_required_status_checks_policy: true
required_status_checks:
- context: CodeQL
integration_id: 1234
- context: GHAS Compliance
integration_id: 1234
# Choose which workflows must pass before branches can be merged.
- type: workflows
parameters:
workflows:
- path: .github/workflows/example.yml
# Run $("meta[name=octolytics-dimension-repository_id]").getAttribute('content')
# in the browser console of the repository to get the repository_id
repository_id: 123456
# One of the following:
# Branch or tag
ref: refs/heads/main
# Commit SHA
sha: 1234567890abcdef
- type: commit_message_pattern
parameters:
name: test commit_message_pattern
# required:
# - operator
# - pattern
negate: true
operator: starts_with
# The operator to use for matching.
# - starts_with
# - ends_with
# - contains
# - regex
pattern: skip*
# The pattern to match with.
- type: commit_author_email_pattern
parameters:
name: test commit_author_email_pattern
negate: false
operator: regex
pattern: "^.*@example.com$"
- type: committer_email_pattern
parameters:
name: test committer_email_pattern
negate: false
operator: regex
pattern: "^.*@example.com$"
- type: branch_name_pattern
parameters:
name: test branch_name_pattern
negate: false
operator: regex
pattern: ".*\/.*"
- type: "tag_name_pattern"
parameters:
name: test tag_name_pattern
negate: false
operator: regex
pattern: ".*\/.*"