Merge branch 'main-enterprise' into github-action-doc

Author: decyjphr

README.md

@@ -30,7 +30,6 @@
 > [!NOTE]
 > The `suborg` and `repo` level settings directory structure cannot be customized.
 >
-> Settings files must have a `.yml` extension only. For now, the `.yaml` extension is ignored.
 
 
 ## How it works

docs/github-settings/6. deployment-environments.md

@@ -27,10 +27,14 @@ environments:
       - type: User
         id: 139262123
     deployment_branch_policy:
-      protected_branches: true
-      custom_branch_policies: false
+      protected_branches: false
+      custom_branch_policies:
+        - names: ['main','dev']
+          type: branch
+        - names: ['v*.*.*']
+          type: tag
     deployment_protection_rules:
-      - app_id: 25112  
+      - app_id: 25112
     variables:
       - name: MY_AWESOME_VAR
         value: '845705'
@@ -43,7 +47,8 @@ environments:
 >[!TIP]
 >GitHub's API documentation defines these inputs and types:
 >1. [Create or update an environment](https://docs.github.com/en/rest/deployments/environments?apiVersion=2022-11-28#create-or-update-an-environment)
->2. [Create an environment variable](https://docs.github.com/en/rest/actions/variables?apiVersion=2022-11-28#create-an-environment-variable)
+>2. [Create a deployment branch policy](https://docs.github.com/en/rest/deployments/branch-policies?apiVersion=2022-11-28#create-a-deployment-branch-policy)
+>3. [Create an environment variable](https://docs.github.com/en/rest/actions/variables?apiVersion=2022-11-28#create-an-environment-variable)
 
 <table>
 <tr><td>
@@ -126,11 +131,11 @@ environments:
 
 <details><summary>Properties of <code>deployment_branch_policy</code></summary>
 <br>
-<p>&emsp;<code>protected_branches</code><span style="color:gray;">&emsp;<i>string</i>&emsp;</span><span style="color:orange;">${\text{\color{orange}Required}}$</span></p>
-<p>&emsp;&emsp;Whether only branches with branch protection rules can deploy<br>&emsp;&emsp;to this environment. If <code>protected_branches</code> is <code>true</code>,<br>&emsp;&emsp;<code>custom_branch_policies</code> must be <code>false</code>; if <code>protected_branches</code><br>&emsp;&emsp;is <code>false</code>, <code>custom_branch_policies</code> must be <code>true</code>.</p>
+<p>&emsp;<code>protected_branches</code><span style="color:gray;">&emsp;<i>boolean</i>&emsp;</span><span style="color:orange;">${\text{\color{orange}Required}}$</span></p>
+<p>&emsp;&emsp;Whether only branches with branch protection rules can deploy<br>&emsp;&emsp;to this environment. If <code>protected_branches</code> is <code>true</code>,<br>&emsp;&emsp;<code>custom_branch_policies</code> must be <code>false</code>; if <code>protected_branches</code><br>&emsp;&emsp;is <code>false</code>, <code>custom_branch_policies</code> must be an object.</p>
 
-<p>&emsp;<code>id</code><span style="color:gray;">&emsp;<i>integer</i>&emsp;</span></p>
-<p>&emsp;&emsp;Whether only branches that match the specified name patterns<br>&emsp;&emsp;can deploy to this environment. If <code>custom_branch_policies</code><br>&emsp;&emsp;is <code>true</code>, <code>protected_branches</code> must be <code>false</code>; if<br>&emsp;&emsp;<code>custom_branch_policies</code> is <code>false</code>, <code>protected_branches</code><br>&emsp;&emsp;must be <code>true</code>.</p>
+<p>&emsp;<code>custom_branch_policies</code><span style="color:gray;">&emsp;<i>boolean or object</i>&emsp;</span></p>
+<p>&emsp;&emsp;Whether only branches that match the specified name patterns<br>&emsp;&emsp;can deploy to this environment. If <code>custom_branch_policies</code><br>&emsp;&emsp;is <code>false</code>, <code>protected_branches</code> must be <code>true</code>; if<br>&emsp;&emsp;<code>custom_branch_policies</code> is an object, <code>protected_branches</code><br>&emsp;&emsp;must be <code>false</code>.</p>
 
 </details>
 
@@ -142,8 +147,12 @@ environments:
   - name: production
     ...
     deployment_branch_policy:
-      protected_branches: true
-      custom_branch_policies: false
+      protected_branches: false
+      custom_branch_policies:
+        - names: ['main','dev']
+          type: branch
+        - names: ['v*.*.*']
+          type: tag
 ...
 ```
 

full-sync.js

@@ -1,19 +1,28 @@
-const { createProbot } = require('probot')
 const appFn = require('./')
+const { FULL_SYNC_NOP } = require('./lib/env')
+const { createProbot } = require('probot')
+
+async function performFullSync (appFn, nop) {
+  const probot = createProbot()
+  probot.log.info(`Starting full sync with NOP=${nop}`)
 
-const probot = createProbot()
-probot.log.info('Starting full sync.')
-const app = appFn(probot, {})
-app.syncInstallation()
-  .then(settings => {
-    if (settings.errors.length > 0) {
+  try {
+    const app = appFn(probot, {})
+    const settings = await app.syncInstallation(nop)
+
+    if (settings.errors && settings.errors.length > 0) {
       probot.log.error('Errors occurred during full sync.')
       process.exit(1)
-    } else {
-      probot.log.info('Done with full sync.')
     }
-  })
-  .catch(error => {
+
+    probot.log.info('Full sync completed successfully.')
+  } catch (error) {
     process.stdout.write(`Unexpected error during full sync: ${error}\n`)
     process.exit(1)
-  })
+  }
+}
+
+performFullSync(appFn, FULL_SYNC_NOP).catch((error) => {
+  console.error('Fatal error during full sync:', error)
+  process.exit(1)
+})

index.js

@@ -28,7 +28,7 @@ module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) =>
       if (nop) {
         let filename = env.SETTINGS_FILE_PATH
         if (!deploymentConfig) {
-          filename = env.DEPLOYMENT_CONFIG_FILE
+          filename = env.DEPLOYMENT_CONFIG_FILE_PATH
           deploymentConfig = {}
         }
         const nopcommand = new NopCommand(filename, repo, null, e, 'ERROR')
@@ -53,7 +53,7 @@ module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) =>
       if (nop) {
         let filename = env.SETTINGS_FILE_PATH
         if (!deploymentConfig) {
-          filename = env.DEPLOYMENT_CONFIG_FILE
+          filename = env.DEPLOYMENT_CONFIG_FILE_PATH
           deploymentConfig = {}
         }
         const nopcommand = new NopCommand(filename, repo, null, e, 'ERROR')
@@ -78,7 +78,7 @@ module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) =>
       if (nop) {
         let filename = env.SETTINGS_FILE_PATH
         if (!deploymentConfig) {
-          filename = env.DEPLOYMENT_CONFIG_FILE
+          filename = env.DEPLOYMENT_CONFIG_FILE_PATH
           deploymentConfig = {}
         }
         const nopcommand = new NopCommand(filename, repo, null, e, 'ERROR')
@@ -104,7 +104,7 @@ module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) =>
       if (nop) {
         let filename = env.SETTINGS_FILE_PATH
         if (!deploymentConfig) {
-          filename = env.DEPLOYMENT_CONFIG_FILE
+          filename = env.DEPLOYMENT_CONFIG_FILE_PATH
           deploymentConfig = {}
         }
         const nopcommand = new NopCommand(filename, repo, null, e, 'ERROR')
@@ -123,7 +123,7 @@ module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) =>
    */
   async function loadYamlFileSystem () {
     if (deploymentConfig === undefined) {
-      const deploymentConfigPath = env.DEPLOYMENT_CONFIG_FILE
+      const deploymentConfigPath = env.DEPLOYMENT_CONFIG_FILE_PATH
       if (fs.existsSync(deploymentConfigPath)) {
         deploymentConfig = yaml.load(fs.readFileSync(deploymentConfigPath))
       } else {
@@ -134,7 +134,7 @@ module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) =>
   }
 
   function getAllChangedSubOrgConfigs (payload) {
-    const settingPattern = new Glob(`${env.CONFIG_PATH}/suborgs/*.yml`)
+    const settingPattern = Settings.SUB_ORG_PATTERN
     // Changes will be an array of files that were added
     const added = payload.commits.map(c => {
       return (c.added.filter(s => {
@@ -158,7 +158,7 @@ module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) =>
   }
 
   function getAllChangedRepoConfigs (payload, owner) {
-    const settingPattern = new Glob(`${env.CONFIG_PATH}/repos/*.yml`)
+    const settingPattern = Settings.REPO_PATTERN
     // Changes will be an array of files that were added
     const added = payload.commits.map(c => {
       return (c.added.filter(s => {
@@ -230,7 +230,7 @@ module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) =>
     }
   }
 
-  async function syncInstallation () {
+  async function syncInstallation (nop = false) {
     robot.log.trace('Fetching installations')
     const github = await robot.auth()
 
@@ -249,7 +249,7 @@ module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) =>
         log: robot.log,
         repo: () => { return { repo: env.ADMIN_REPO, owner: installation.account.login } }
       }
-      return syncAllSettings(false, context)
+      return syncAllSettings(nop, context)
     }
     return null
   }
@@ -270,11 +270,11 @@ module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) =>
     }
 
     const settingsModified = payload.commits.find(commit => {
-      return commit.added.includes(Settings.FILE_NAME) ||
-        commit.modified.includes(Settings.FILE_NAME)
+      return commit.added.includes(Settings.FILE_PATH) ||
+        commit.modified.includes(Settings.FILE_PATH)
     })
     if (settingsModified) {
-      robot.log.debug(`Changes in '${Settings.FILE_NAME}' detected, doing a full synch...`)
+      robot.log.debug(`Changes in '${Settings.FILE_PATH}' detected, doing a full synch...`)
       return syncAllSettings(false, context)
     }
 
@@ -292,7 +292,7 @@ module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) =>
       }))
     }
 
-    robot.log.debug(`No changes in '${Settings.FILE_NAME}' detected, returning...`)
+    robot.log.debug(`No changes in '${Settings.FILE_PATH}' detected, returning...`)
   })
 
   robot.on('create', async context => {
@@ -597,21 +597,21 @@ module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) =>
     const changes = await context.octokit.repos.compareCommitsWithBasehead(params)
     const files = changes.data.files.map(f => { return f.filename })
 
-    const settingsModified = files.includes(Settings.FILE_NAME)
+    const settingsModified = files.includes(Settings.FILE_PATH)
 
     if (settingsModified) {
-      robot.log.debug(`Changes in '${Settings.FILE_NAME}' detected, doing a full synch...`)
+      robot.log.debug(`Changes in '${Settings.FILE_PATH}' detected, doing a full synch...`)
       return syncAllSettings(true, context, context.repo(), pull_request.head.ref)
     }
 
-    const repoChanges = getChangedRepoConfigName(new Glob(`${env.CONFIG_PATH}/repos/*.yml`), files, context.repo().owner)
+    const repoChanges = getChangedRepoConfigName(Settings.REPO_PATTERN, files, context.repo().owner)
     if (repoChanges.length > 0) {
       return Promise.all(repoChanges.map(repo => {
         return syncSettings(true, context, repo, pull_request.head.ref)
       }))
     }
 
-    const subOrgChanges = getChangedSubOrgConfigName(new Glob(`${env.CONFIG_PATH}/suborgs/*.yml`), files, context.repo().owner)
+    const subOrgChanges = getChangedSubOrgConfigName(Settings.SUB_ORG_PATTERN, files, context.repo().owner)
     if (subOrgChanges.length) {
       return Promise.all(subOrgChanges.map(suborg => {
         return syncSubOrgSettings(true, context, suborg, context.repo(), pull_request.head.ref)

lib/deploymentConfig.js

@@ -13,23 +13,23 @@ class DeploymentConfig {
   static overridevalidators = {}
 
   static {
-    const deploymentConfigPath = process.env.DEPLOYMENT_CONFIG_FILE ? process.env.DEPLOYMENT_CONFIG_FILE : 'deployment-settings.yml'
+    const deploymentConfigPath = env.DEPLOYMENT_CONFIG_FILE_PATH
     if (fs.existsSync(deploymentConfigPath)) {
-      this.config = yaml.load(fs.readFileSync(deploymentConfigPath))
+      this.config = yaml.load(fs.readFileSync(deploymentConfigPath)) || {}
     } else {
       this.config = { restrictedRepos: ['admin', '.github', 'safe-settings'] }
     }
 
-    const overridevalidators = this.config.overridevalidators
-    if (this.isIterable(overridevalidators)) {
+    const overridevalidators = this.config.overridevalidators || []
+    if (this.isNonEmptyArray(overridevalidators)) {
       for (const validator of overridevalidators) {
         // eslint-disable-next-line no-new-func
         const f = new Function('baseconfig', 'overrideconfig', 'githubContext', validator.script)
         this.overridevalidators[validator.plugin] = { canOverride: f, error: validator.error }
       }
     }
-    const configvalidators = this.config.configvalidators
-    if (this.isIterable(configvalidators)) {
+    const configvalidators = this.config.configvalidators || []
+    if (this.isNonEmptyArray(configvalidators)) {
       for (const validator of configvalidators) {
         // eslint-disable-next-line no-new-func
         const f = new Function('baseconfig', 'githubContext', validator.script)
@@ -38,12 +38,8 @@ class DeploymentConfig {
     }
   }
 
-  static isIterable (obj) {
-    // checks for null and undefined
-    if (obj == null) {
-      return false
-    }
-    return typeof obj[Symbol.iterator] === 'function'
+  static isNonEmptyArray (obj) {
+    return Array.isArray(obj) && obj.length > 0
   }
 
   // eslint-disable-next-line no-useless-constructor

lib/env.js

@@ -2,8 +2,9 @@ module.exports = {
   ADMIN_REPO: process.env.ADMIN_REPO || 'admin',
   CONFIG_PATH: process.env.CONFIG_PATH || '.github',
   SETTINGS_FILE_PATH: process.env.SETTINGS_FILE_PATH || 'settings.yml',
-  DEPLOYMENT_CONFIG_FILE: process.env.DEPLOYMENT_CONFIG_FILE || 'deployment-settings.yml',
+  DEPLOYMENT_CONFIG_FILE_PATH: process.env.DEPLOYMENT_CONFIG_FILE || 'deployment-settings.yml',
   CREATE_PR_COMMENT: process.env.CREATE_PR_COMMENT || 'true',
   CREATE_ERROR_ISSUE: process.env.CREATE_ERROR_ISSUE || 'true',
-  BLOCK_REPO_RENAME_BY_HUMAN: process.env.BLOCK_REPO_RENAME_BY_HUMAN || 'false'
+  BLOCK_REPO_RENAME_BY_HUMAN: process.env.BLOCK_REPO_RENAME_BY_HUMAN || 'false',
+  FULL_SYNC_NOP: process.env.FULL_SYNC_NOP === 'true'
 }

lib/plugins/branches.js

@@ -33,7 +33,7 @@ module.exports = class Branches extends ErrorStash {
               let p = Object.assign(this.repo, { branch: branch.name })
               if (branch.name === 'default') {
                 p = Object.assign(this.repo, { branch: currentRepo.data.default_branch })
-                this.log(`Deleting default branch protection for branch ${currentRepo.data.default_branch}`)
+                this.log.debug(`Deleting default branch protection for branch ${currentRepo.data.default_branch}`)
               }
               // Hack to handle closures and keep params from changing
               const params = Object.assign({}, p)
@@ -50,7 +50,7 @@ module.exports = class Branches extends ErrorStash {
               let p = Object.assign(this.repo, { branch: branch.name })
               if (branch.name === 'default') {
                 p = Object.assign(this.repo, { branch: currentRepo.data.default_branch })
-                // this.log(`Setting default branch protection for branch ${currentRepo.data.default_branch}`)
+                // this.log.debug(`Setting default branch protection for branch ${currentRepo.data.default_branch}`)
               }
               // Hack to handle closures and keep params from changing
               const params = Object.assign({}, p)
@@ -80,7 +80,7 @@ module.exports = class Branches extends ErrorStash {
                   return Promise.resolve(resArray)
                 }
                 this.log.debug(`Adding branch protection ${JSON.stringify(params)}`)
-                return this.github.repos.updateBranchProtection(params).then(res => this.log(`Branch protection applied successfully ${JSON.stringify(res.url)}`)).catch(e => { this.logError(`Error applying branch protection ${JSON.stringify(e)}`); return [] })
+                return this.github.repos.updateBranchProtection(params).then(res => this.log.debug(`Branch protection applied successfully ${JSON.stringify(res.url)}`)).catch(e => { this.logError(`Error applying branch protection ${JSON.stringify(e)}`); return [] })
               }).catch((e) => {
                 if (e.status === 404) {
                   Object.assign(params, Overrides.removeOverrides(overrides, branch.protection, {}), { headers: previewHeaders })
@@ -89,7 +89,7 @@ module.exports = class Branches extends ErrorStash {
                     return Promise.resolve(resArray)
                   }
                   this.log.debug(`Adding branch protection ${JSON.stringify(params)}`)
-                  return this.github.repos.updateBranchProtection(params).then(res => this.log(`Branch protection applied successfully ${JSON.stringify(res.url)}`)).catch(e => { this.logError(`Error applying branch protection ${JSON.stringify(e)}`); return [] })
+                  return this.github.repos.updateBranchProtection(params).then(res => this.log.debug(`Branch protection applied successfully ${JSON.stringify(res.url)}`)).catch(e => { this.logError(`Error applying branch protection ${JSON.stringify(e)}`); return [] })
                 } else {
                   this.logError(e)
                   if (this.nop) {