action.yml

---
name: settings
description: settings
inputs:
  debug:
    default: 'false'
    description: |
      Enable debug logging.
    required: true
  description:
    description: |
      The description of the GitHub project.
    required: true
  project:
    description: |
      The name of the GitHub project including the owner, e.g,
      030/settings-action.
    required: true
  settings_default_workflow_permissions:
    default: 'read'
    description: |
      Set the default workflow permission to 'read' or 'write'.
    required: true
  settings_discussions:
    default: 'false'
    description: |
      Whether the discussions tab should be disabled or enabled.
    required: true
  settings_delete_branch_on_merge:
    default: 'true'
    description: |
      Whether a branch should be deleted on merge.
    required: true
  settings_github_workflows_can_approve_pull_request_reviews:
    default: 'false'
    description: |
      Whether GitHub workflows can approve pull request reviews.
    required: true
  settings_merge_commit:
    default: 'false'
    description: |
      Whether the 'merge commit' option should be disabled or enabled.
    required: true
  settings_merge_rebase:
    default: 'false'
    description: |
      Whether the 'merge rebase' option should be disabled or enabled.
    required: true
  settings_merge_squash:
    default: 'true'
    description: |
      Whether the 'merge squash' option should be disabled or enabled.
    required: true
  settings_protect_main_branch:
    default: 'true'
    description: |
      Whether the main branch should be protected or not.
    required: true
  settings_protect_main_branch_enforce_admins:
    default: 'true'
    description: |
      Whether the main branch protection should be enforced for admin as well.
    required: true
  settings_protect_main_branch_required_approving_review_count:
    default: '1'
    description: |
      The number of approvals that is required before a PR can be merged.
    required: true
  settings_projects:
    default: 'false'
    description: |
      Whether the projects tab should be disabled or enabled.
    required: true
  settings_wiki:
    default: 'false'
    description: |
      Whether the wiki tab should be disabled or enabled.
    required: true
runs:
  using: 'composite'
  steps:
    - name: display the gh cli version
      run: gh --version
      shell: bash
    - name: add a description for project ${{ inputs.project }}
      run: gh repo edit ${{ inputs.project }} --description="${{ inputs.description }}"
      shell: bash
    - name: delete branch on merge or not for project ${{ inputs.project }}
      run: gh repo edit ${{ inputs.project }} --delete-branch-on-merge=${{ inputs.settings_delete_branch_on_merge }}
      shell: bash
    # https://docs.github.com/en/rest/actions/permissions?apiVersion=2022-11-28#set-default-workflow-permissions-for-a-repository
    - name: set default_workflow_permissions and can_approve_pull_request_reviews
      run: |
        if ${{ inputs.debug }}; then
          echo "enable debug logging"
          debug="--verbose"
        fi

        curl \
          --fail \
          --silent \
          ${debug} \
          -L \
          -X PUT \
          -H "Accept: application/vnd.github+json" \
          -H "Authorization: Bearer ${GH_TOKEN}" \
          -H "X-GitHub-Api-Version: 2022-11-28" \
          https://api.github.com/repos/${{ inputs.project }}/actions/permissions/workflow \
          -d "{
            \"default_workflow_permissions\":\"${{ inputs.settings_default_workflow_permissions }}\",
            \"can_approve_pull_request_reviews\":${{ inputs.settings_github_workflows_can_approve_pull_request_reviews }} 
          }"
      shell: bash
    - name: enable or disable the 'discussions' tab for ${{ inputs.project }}
      run: gh repo edit ${{ inputs.project }} --enable-discussions=${{ inputs.settings_discussions }}
      shell: bash
    - name: enable or disable 'merge rebase' for ${{ inputs.project }}
      run: gh repo edit ${{ inputs.project }} --enable-rebase-merge=${{ inputs.settings_merge_rebase }}
      shell: bash
    - name: enable or disable 'merge squash' for ${{ inputs.project }}
      run: gh repo edit ${{ inputs.project }} --enable-squash-merge=${{ inputs.settings_merge_squash }}
      shell: bash
    # Ensure that at least one of the following settings_merge_x options
    # is true. As the merge request option is true by default and one of them
    # has to be true, the merge_commit option is positioned third.
    - name: enable or disable 'merge commit' for ${{ inputs.project }}
      run: gh repo edit ${{ inputs.project }} --enable-merge-commit=${{ inputs.settings_merge_commit }}
      shell: bash
    - name: enable or disable the 'projects' tab for ${{ inputs.project }}
      run: gh repo edit ${{ inputs.project }} --enable-projects=${{ inputs.settings_projects }}
      shell: bash
    - name: enable or disable the 'wiki' tab for ${{ inputs.project }}
      run: gh repo edit ${{ inputs.project }} --enable-wiki=${{ inputs.settings_wiki }}
      shell: bash
    - name: protect main branch
      run: |
        repositoryId=$(gh repo view --json id -q '.id' "${{ inputs.project }}")
        echo $repositoryId

        if ${{ inputs.debug }}; then
          echo "enable debug logging"
          debug="--verbose"
        fi

        update_branch_protection_rule() {
          python3 ${{ github.action_path }}/main.py \
            --enforce-admins ${{ inputs.settings_protect_main_branch_enforce_admins }} \
            --required-approving-review-count ${{ inputs.settings_protect_main_branch_required_approving_review_count }}

          # https://docs.github.com/en/rest/branches/branch-protection?apiVersion=2022-11-28#update-branch-protection
          curl \
            --fail \
            --silent \
            ${debug} \
            -L \
            -X PUT \
            -H "Accept: application/vnd.github+json" \
            -H "Authorization: Bearer ${GH_TOKEN}" \
            -H "X-GitHub-Api-Version: 2022-11-28" \
            https://api.github.com/repos/${{ inputs.project }}/branches/${branch_to_be_protected}/protection \
            --data-binary @update-branch-protection-rule.json
        }

        branch_to_be_protected="main"
        if gh api repos/${{ inputs.project }}/branches/${branch_to_be_protected}/protection; then
          echo "main branch is protected already. Updating it...";
          update_branch_protection_rule
        else
          echo "main branch not protected. Protecting it...";

          gh api graphql \
            -f query="$(cat ${{ github.action_path }}/create-branch-protection-rule.graphql)" \
            -F branchName="${branch_to_be_protected}" \
            -F repositoryId="${repositoryId}"

          update_branch_protection_rule
        fi
      shell: bash
      if: ${{ inputs.settings_protect_main_branch == 'true' }}