forked from 030/settings-action
-
Notifications
You must be signed in to change notification settings - Fork 0
/
action.yml
179 lines (172 loc) · 6.79 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
---
name: settings
description: settings
inputs:
debug:
default: 'false'
description: |
Enable debug logging.
required: true
description:
description: |
The description of the GitHub project.
required: true
project:
description: |
The name of the GitHub project including the owner, e.g,
030/settings-action.
required: true
settings_default_workflow_permissions:
default: 'read'
description: |
Set the default workflow permission to 'read' or 'write'.
required: true
settings_discussions:
default: 'false'
description: |
Whether the discussions tab should be disabled or enabled.
required: true
settings_delete_branch_on_merge:
default: 'true'
description: |
Whether a branch should be deleted on merge.
required: true
settings_github_workflows_can_approve_pull_request_reviews:
default: 'false'
description: |
Whether GitHub workflows can approve pull request reviews.
required: true
settings_merge_commit:
default: 'false'
description: |
Whether the 'merge commit' option should be disabled or enabled.
required: true
settings_merge_rebase:
default: 'false'
description: |
Whether the 'merge rebase' option should be disabled or enabled.
required: true
settings_merge_squash:
default: 'true'
description: |
Whether the 'merge squash' option should be disabled or enabled.
required: true
settings_protect_main_branch:
default: 'true'
description: |
Whether the main branch should be protected or not.
required: true
settings_protect_main_branch_enforce_admins:
default: 'true'
description: |
Whether the main branch protection should be enforced for admin as well.
required: true
settings_protect_main_branch_required_approving_review_count:
default: '1'
description: |
The number of approvals that is required before a PR can be merged.
required: true
settings_projects:
default: 'false'
description: |
Whether the projects tab should be disabled or enabled.
required: true
settings_wiki:
default: 'false'
description: |
Whether the wiki tab should be disabled or enabled.
required: true
runs:
using: 'composite'
steps:
- name: display the gh cli version
run: gh --version
shell: bash
- name: add a description for project ${{ inputs.project }}
run: gh repo edit ${{ inputs.project }} --description="${{ inputs.description }}"
shell: bash
- name: delete branch on merge or not for project ${{ inputs.project }}
run: gh repo edit ${{ inputs.project }} --delete-branch-on-merge=${{ inputs.settings_delete_branch_on_merge }}
shell: bash
# https://docs.github.com/en/rest/actions/permissions?apiVersion=2022-11-28#set-default-workflow-permissions-for-a-repository
- name: set default_workflow_permissions and can_approve_pull_request_reviews
run: |
if ${{ inputs.debug }}; then
echo "enable debug logging"
debug="--verbose"
fi
curl \
--fail \
--silent \
${debug} \
-L \
-X PUT \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${GH_TOKEN}" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/${{ inputs.project }}/actions/permissions/workflow \
-d "{
\"default_workflow_permissions\":\"${{ inputs.settings_default_workflow_permissions }}\",
\"can_approve_pull_request_reviews\":${{ inputs.settings_github_workflows_can_approve_pull_request_reviews }}
}"
shell: bash
- name: enable or disable the 'discussions' tab for ${{ inputs.project }}
run: gh repo edit ${{ inputs.project }} --enable-discussions=${{ inputs.settings_discussions }}
shell: bash
- name: enable or disable 'merge rebase' for ${{ inputs.project }}
run: gh repo edit ${{ inputs.project }} --enable-rebase-merge=${{ inputs.settings_merge_rebase }}
shell: bash
- name: enable or disable 'merge squash' for ${{ inputs.project }}
run: gh repo edit ${{ inputs.project }} --enable-squash-merge=${{ inputs.settings_merge_squash }}
shell: bash
# Ensure that at least one of the following settings_merge_x options
# is true. As the merge request option is true by default and one of them
# has to be true, the merge_commit option is positioned third.
- name: enable or disable 'merge commit' for ${{ inputs.project }}
run: gh repo edit ${{ inputs.project }} --enable-merge-commit=${{ inputs.settings_merge_commit }}
shell: bash
- name: enable or disable the 'projects' tab for ${{ inputs.project }}
run: gh repo edit ${{ inputs.project }} --enable-projects=${{ inputs.settings_projects }}
shell: bash
- name: enable or disable the 'wiki' tab for ${{ inputs.project }}
run: gh repo edit ${{ inputs.project }} --enable-wiki=${{ inputs.settings_wiki }}
shell: bash
- name: protect main branch
run: |
repositoryId=$(gh repo view --json id -q '.id' "${{ inputs.project }}")
echo $repositoryId
if ${{ inputs.debug }}; then
echo "enable debug logging"
debug="--verbose"
fi
update_branch_protection_rule() {
python3 ${{ github.action_path }}/main.py \
--enforce-admins ${{ inputs.settings_protect_main_branch_enforce_admins }} \
--required-approving-review-count ${{ inputs.settings_protect_main_branch_required_approving_review_count }}
# https://docs.github.com/en/rest/branches/branch-protection?apiVersion=2022-11-28#update-branch-protection
curl \
--fail \
--silent \
${debug} \
-L \
-X PUT \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${GH_TOKEN}" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/${{ inputs.project }}/branches/${branch_to_be_protected}/protection \
--data-binary @update-branch-protection-rule.json
}
branch_to_be_protected="main"
if gh api repos/${{ inputs.project }}/branches/${branch_to_be_protected}/protection; then
echo "main branch is protected already. Updating it...";
update_branch_protection_rule
else
echo "main branch not protected. Protecting it...";
gh api graphql \
-f query="$(cat ${{ github.action_path }}/create-branch-protection-rule.graphql)" \
-F branchName="${branch_to_be_protected}" \
-F repositoryId="${repositoryId}"
update_branch_protection_rule
fi
shell: bash
if: ${{ inputs.settings_protect_main_branch == 'true' }}