Merge branch 'main-enterprise' into yj-repo-in-many-suborgs

.github/workflows/delete-old-releases.yml

@@ -0,0 +1,25 @@
+name: Delete old releases
+permissions: write-all
+
+on:
+  workflow_dispatch:
+    inputs:
+      beforeDate:
+        type: string
+        required: true
+        description: YYYY-MM-DD - All releases before this date are deleted.
+        default: "2024-01-01"
+
+jobs:
+  delete-releases:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Delete releases
+      run: |
+        for i in $(gh release list --repo https://github.com/$GITHUB_REPOSITORY --json createdAt,tagName --limit 1000  | jq --arg date $BEFORE_DATE '.[] | select(.createdAt < $date ) | .tagName' | tr -d '"'); do  gh release delete $i -y --cleanup-tag --repo https://github.com/$GITHUB_REPOSITORY ;    done
+        echo Deleted releases before $BEFORE_DATE in https://github.com/$GITHUB_REPOSITORY >> $GITHUB_STEP_SUMMARY
+      env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BEFORE_DATE: ${{ inputs.beforeDate }}
+
+

README.md

@@ -266,9 +266,9 @@ And the `checkrun` page will look like this:
 <img width="860" alt="image" src="https://github.com/github/safe-settings/assets/57544838/893ff4e6-904c-4a07-924a-7c23dc068983">
 </p>
 
-### The Settings File
+### The Settings Files
 
-The settings file can be used to set the policies at the `org`, `suborg` or `repo` level.
+The settings files can be used to set the policies at the `org`, `suborg` or `repo` level.
 
 The following can be configured:
 
@@ -284,6 +284,7 @@ The following can be configured:
 - `Autolinks`
 - `Repository name validation` using regex pattern
 - `Rulesets`
+- `Environments` - wait timer, required reviewers, prevent self review, protected branches deployment branch policy, custom deployment branch policy, variables, deployment protection rules
 
 It is possible to provide an `include` or `exclude` settings to restrict the `collaborators`, `teams`, `labels` to a list of repos or exclude a set of repos for a collaborator.
 

app.yml

@@ -34,6 +34,10 @@ default_permissions:
     repository_custom_properties: write
     organization_custom_properties: admin
 
+    # Workflows, workflow runs and artifacts. (needed to read environments when repo is private or internal)
+    # https://developer.github.com/v3/apps/permissions/#repository-permissions-for-actions
+    actions: read
+
     # Repository creation, deletion, settings, teams, and collaborators.
     # https://developer.github.com/v3/apps/permissions/#permission-on-administration
     administration: write
@@ -50,6 +54,10 @@ default_permissions:
     # https://developer.github.com/v3/apps/permissions/#permission-on-deployments
     # deployments: read
 
+    # Manage repository environments.
+    # https://developer.github.com/v3/apps/permissions/#repository-permissions-for-environments
+    environments: write
+
     # Issues and related comments, assignees, labels, and milestones.
     # https://developer.github.com/v3/apps/permissions/#permission-on-issues
     issues: write
@@ -106,6 +114,10 @@ default_permissions:
     # https://developer.github.com/v3/apps/permissions/
     organization_administration: write
 
+    # Manage Actions repository variables.
+    # https://developer.github.com/v3/apps/permissions/#repository-permissions-for-variables
+    variables: write
+
 
 # The name of the GitHub App. Defaults to the name specified in package.json
 name: Safe Settings

docs/deploy.md

@@ -255,14 +255,17 @@ Every deployment will need an [App](https://developer.github.com/apps/).
 
 #### Repository Permissions
 
+- Actions: **Read-only**
 - Administration: **Read & Write**
 - Checks: **Read & Write**
 - Commit statuses: **Read & Write**
 - Contents: **Read & Write**
 - Custom properties: **Read & Write**
+- Environments: **Read & Write**
 - Issues: **Read & Write**
 - Metadata: **Read-only**
 - Pull requests: **Read & Write**
+- Variables: **Read & Write**
 
 #### Organization Permissions
 

lib/glob.js

@@ -1,8 +1,24 @@
 class Glob {
   constructor (glob) {
     this.glob = glob
-    const regexptex = glob.replace(/\//g, '\\/').replace(/\?/g, '([^\\/])').replace(/\./g, '\\.').replace(/\*/g, '([^\\/]*)')
-    this.regexp = new RegExp(`^${regexptex}$`, 'u')
+
+    // If not a glob pattern then just match the string.
+    if (!this.glob.includes('*')) {
+      this.regexp = new RegExp(`.*${this.glob}.*`, 'u')
+      return
+    }
+    this.regexptText = this.globize(this.glob)
+    this.regexp = new RegExp(`^${this.regexptText}$`, 'u')
+  }
+
+  globize (glob) {
+    return glob
+      .replace(/\\/g, '\\\\') // escape backslashes
+      .replace(/\//g, '\\/') // escape forward slashes
+      .replace(/\./g, '\\.') // escape periods
+      .replace(/\?/g, '([^\\/])') // match any single character except /
+      .replace(/\*\*/g, '.+') // match any character except /, including /
+      .replace(/\*/g, '([^\\/]*)') // match any character except /
   }
 
   toString () {

lib/mergeDeep.js

@@ -211,18 +211,19 @@ class MergeDeep {
       }
     }
     const combined = []
-    for (const fields of Object.keys(visited)) {
-      combined.push(visited[fields])
-    }
-    // Elements that are not in target are additions
-    additions[key] = combined.filter(item => {
-      if (this.isObjectNotArray(item)) {
-        return !target.some(targetItem => GET_NAME_USERNAME_PROPERTY(item) === GET_NAME_USERNAME_PROPERTY(targetItem))
-      } else {
-        return !target.includes(item)
+    if (Object.keys(visited).length !== 0) {
+      for (const fields of Object.keys(visited)) {
+        combined.push(visited[fields])
       }
-    })
-
+      // Elements that are not in target are additions
+      additions[key] = combined.filter(item => {
+        if (this.isObjectNotArray(item)) {
+          return !target.some(targetItem => GET_NAME_USERNAME_PROPERTY(item) === GET_NAME_USERNAME_PROPERTY(targetItem))
+        } else {
+          return !target.includes(item)
+        }
+      })
+    }
     // Elements that not in source are deletions
     if (combined.length > 0) {
       // Elements that not in source are deletions
@@ -247,8 +248,21 @@ class MergeDeep {
         this.compareDeep(a, visited[id], additions[additions.length - 1], modifications[modifications.length - 1], deletions[deletions.length - 1])
       }
       // Any addtions for the matching key must be moved to modifications
+      const lastAddition = additions[additions.length - 1]
+      const lastModification = modifications[modifications.length - 1]
+
       if (!this.isEmpty(additions)) {
-        modifications = modifications.concat(additions)
+        for (const key in lastAddition) {
+          if (!lastModification[key]) {
+            lastModification[key] = Array.isArray(lastAddition[key]) ? [] : {}
+          }
+          if (!Array.isArray(lastAddition[key])) {
+            Object.assign(lastModification[key], lastAddition[key])
+          } else {
+            lastModification[key].push(...lastAddition[key])
+          }
+        }
+        additions.length = 0
       }
       // Add name attribute to the modifications to make it look better ; it won't be added otherwise as it would be the same
       if (!this.isEmpty(modifications[modifications.length - 1])) {
@@ -364,5 +378,4 @@ class MergeDeep {
   }
 }
 MergeDeep.NAME_FIELDS = NAME_FIELDS
-MergeDeep.NAME_FIELDS = NAME_FIELDS
 module.exports = MergeDeep

lib/plugins/diffable.js

@@ -93,14 +93,15 @@ module.exports = class Diffable extends ErrorStash {
           }
         }
 
-        // Filter out all empty entries (usually from repo override)
+        // Remove any null or undefined values from the diffables (usually comes from repo override)
         for (const entry of filteredEntries) {
           for (const key of Object.keys(entry)) {
             if (entry[key] === null || entry[key] === undefined) {
               delete entry[key]
             }
           }
         }
+        // Delete any diffable that now only has name and no other attributes
         filteredEntries = filteredEntries.filter(entry => Object.keys(entry).filter(key => !MergeDeep.NAME_FIELDS.includes(key)).length !== 0)
 
         const changes = []

lib/plugins/environments.js

@@ -1,4 +1,6 @@
 const Diffable = require('./diffable')
+const MergeDeep = require('../mergeDeep')
+const NopCommand = require('../nopcommand')
 
 module.exports = class Environments extends Diffable {
     constructor(...args) {
@@ -14,7 +16,7 @@ module.exports = class Environments extends Diffable {
                 });
               }
             })
-          }
+        }
     }
 
     async find() {
@@ -78,7 +80,7 @@ module.exports = class Environments extends Diffable {
         const wait_timer = existing.wait_timer !== attrs.wait_timer;
         const prevent_self_review = existing.prevent_self_review !== attrs.prevent_self_review;
         const reviewers = JSON.stringify(existing.reviewers.sort((x1, x2) => x1.id - x2.id)) !== JSON.stringify(attrs.reviewers.sort((x1, x2) => x1.id - x2.id));
-        
+
         let existing_custom_branch_policies = existing.deployment_branch_policy === null ? null : existing.deployment_branch_policy.custom_branch_policies;
         if(typeof(existing_custom_branch_policies) === 'object' && existing_custom_branch_policies !== null) {
             existing_custom_branch_policies = existing_custom_branch_policies.sort();
@@ -158,6 +160,7 @@ module.exports = class Environments extends Diffable {
 
         if(variables) {
             let existingVariables = [...existing.variables];
+
             for(let variable of attrs.variables) {
                 const existingVariable = existingVariables.find((_var) => _var.name === variable.name);
                 if(existingVariable) {
@@ -195,6 +198,7 @@ module.exports = class Environments extends Diffable {
 
         if(deployment_protection_rules) {
             let existingRules = [...existing.deployment_protection_rules];
+
             for(let rule of attrs.deployment_protection_rules) {
                 const existingRule = existingRules.find((_rule) => _rule.id === rule.id);
 
@@ -227,13 +231,14 @@ module.exports = class Environments extends Diffable {
             wait_timer: attrs.wait_timer,
             prevent_self_review: attrs.prevent_self_review,
             reviewers: attrs.reviewers,
-            deployment_branch_policy: attrs.deployment_branch_policy === null ? null : {
-                protected_branches: attrs.deployment_branch_policy.protected_branches,
+            deployment_branch_policy: attrs.deployment_branch_policy == null ? null : {
+                protected_branches: !!attrs.deployment_branch_policy.protected_branches,
                 custom_branch_policies: !!attrs.deployment_branch_policy.custom_branch_policies
             }
         });
 
         if(attrs.deployment_branch_policy && attrs.deployment_branch_policy.custom_branch_policies) {
+
             for(let policy of attrs.deployment_branch_policy.custom_branch_policies) {
                 await this.github.request('POST /repos/:org/:repo/environments/:environment_name/deployment-branch-policies', {
                     org: this.repo.owner,
@@ -242,26 +247,34 @@ module.exports = class Environments extends Diffable {
                     name: policy.name
                 });
             }
-        }
-
 
-        for(let variable of attrs.variables) {
-            await this.github.request(`POST /repos/:org/:repo/environments/:environment_name/variables`, {
-                org: this.repo.owner,
-                repo: this.repo.repo,
-                environment_name: attrs.name,
-                name: variable.name,
-                value: variable.value
-            });
         }
 
-        for(let rule of attrs.deployment_protection_rules) {
-            await this.github.request(`POST /repos/:org/:repo/environments/:environment_name/deployment_protection_rules`, {
-                org: this.repo.owner,
-                repo: this.repo.repo,
-                environment_name: attrs.name,
-                integration_id: rule.app_id
-            });
+        if(attrs.variables) {
+
+            for(let variable of attrs.variables) {
+                await this.github.request(`POST /repos/:org/:repo/environments/:environment_name/variables`, {
+                    org: this.repo.owner,
+                    repo: this.repo.repo,
+                    environment_name: attrs.name,
+                    name: variable.name,
+                    value: variable.value
+                });
+            }
+
+          }
+
+        if(attrs.deployment_protection_rules) {
+
+            for(let rule of attrs.deployment_protection_rules) {
+                await this.github.request(`POST /repos/:org/:repo/environments/:environment_name/deployment_protection_rules`, {
+                    org: this.repo.owner,
+                    repo: this.repo.repo,
+                    environment_name: attrs.name,
+                    integration_id: rule.app_id
+                });
+            }
+
         }
     }
 
@@ -272,4 +285,79 @@ module.exports = class Environments extends Diffable {
             environment_name: existing.name
         });
     }
-}
+
+    sync () {
+      const resArray = []
+      if (this.entries) {
+        let filteredEntries = this.filterEntries()
+        return this.find().then(existingRecords => {
+
+          // Remove any null or undefined values from the diffables (usually comes from repo override)
+          for (const entry of filteredEntries) {
+            for (const key of Object.keys(entry)) {
+              if (entry[key] === null || entry[key] === undefined) {
+                delete entry[key]
+              }
+            }
+          }
+          // For environments, we want to keep the entries with only name defined.
+
+          const changes = []
+
+          existingRecords.forEach(x => {
+            if (!filteredEntries.find(y => this.comparator(x, y))) {
+              const change = this.remove(x).then(res => {
+                if (this.nop) {
+                  return resArray.push(res)
+                }
+                return res
+              })
+              changes.push(change)
+            }
+          })
+
+          filteredEntries.forEach(attrs => {
+            const existing = existingRecords.find(record => {
+              return this.comparator(record, attrs)
+            })
+
+            if (!existing) {
+              const change = this.add(attrs).then(res => {
+                if (this.nop) {
+                  return resArray.push(res)
+                }
+                return res
+              })
+              changes.push(change)
+            } else if (this.changed(existing, attrs)) {
+              const change = this.update(existing, attrs).then(res => {
+                if (this.nop) {
+                  return resArray.push(res)
+                }
+                return res
+              })
+              changes.push(change)
+            }
+          })
+
+          if (this.nop) {
+            return Promise.resolve(resArray)
+          }
+          return Promise.all(changes)
+        }).catch(e => {
+          if (this.nop) {
+            if (e.status === 404) {
+              // Ignore 404s which can happen in dry-run as the repo may not exist.
+              return Promise.resolve(resArray)
+            } else {
+              resArray.push(new NopCommand(this.constructor.name, this.repo, null, `error ${e} in ${this.constructor.name} for repo: ${JSON.stringify(this.repo)} entries ${JSON.stringify(this.entries)}`, 'ERROR'))
+              return Promise.resolve(resArray)
+            }
+          } else {
+            this.logError(`Error ${e} in ${this.constructor.name} for repo: ${JSON.stringify(this.repo)} entries ${JSON.stringify(this.entries)}`)
+          }
+        })
+      }
+    }
+
+}