diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml
index 6cb7ddc..99e9efd 100644
--- a/.github/workflows/sync.yml
+++ b/.github/workflows/sync.yml
@@ -1,6 +1,9 @@
 name: Sync Org Settings
 
 on:
+  pull_request:
+    branches:
+      - main
   push:
     branches:
       - main
@@ -11,7 +14,7 @@ on:
       dry-run:
         description: 'Dry run (preview changes without applying)'
         type: boolean
-        default: false
+        default: true
 
 jobs:
   sync:
@@ -22,13 +25,13 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Generate GitHub App Token
         id: app-token
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@v3
         with:
-          app-id: ${{ secrets.APP_CLIENT_ID }}
+          client-id: ${{ vars.APP_CLIENT_ID }}
           private-key: ${{ secrets.APP_PRIVATE_KEY }}
           owner: joshjohanning-org
 
@@ -36,15 +39,15 @@ jobs:
         uses: joshjohanning/bulk-github-org-settings-sync-action@v1
         with:
           github-token: ${{ steps.app-token.outputs.token }}
-          organizations-file: './orgs.yml'
-          custom-repo-roles-file: './custom-repo-roles.yml'
+          organizations-file: './config/orgs.yml'
+          custom-repo-roles-file: './config/custom-repo-roles.yml'
           actions-policy-allowed-actions: selected
           actions-policy-github-owned-allowed: true
           actions-policy-verified-allowed: true
-          actions-allow-list-file: './actions-allow-list.yml'
+          actions-allow-list-file: './config/actions-allow-list.yml'
           actions-policy-default-workflow-permissions: read
           actions-policy-actions-can-approve-pull-request-reviews: false
-          org-description: "josh's samples"
+          org-description: "@joshjohanning's samples"
           org-location: 'United States of America'
           org-blog: 'https://josh-ops.com'
           default-repository-permission: none
@@ -66,4 +69,4 @@ jobs:
           readers-can-create-discussions: true
           members-can-view-dependency-insights: true
           display-commenter-full-name-setting-enabled: true
-          dry-run: ${{ inputs.dry-run || 'false' }}
+          dry-run: ${{ github.event_name == 'pull_request' || inputs.dry-run == true }}
diff --git a/README.md b/README.md
index 719fb39..7e79e7f 100644
--- a/README.md
+++ b/README.md
@@ -8,17 +8,17 @@ Manages GitHub organization settings for `joshjohanning-org` using [bulk-github-
 |---|---|
 | Member privileges | Inline in workflow |
 | Org profile | Inline in workflow |
-| Actions policy | `actions-allow-list.yml` |
-| Custom repo roles | `custom-repo-roles.yml` |
+| Actions policy | `config/actions-allow-list.yml` |
+| Custom repo roles | `config/custom-repo-roles.yml` |
 
 ## Setup
 
-The workflow uses a GitHub App for auth. Set these secrets on the repo:
+The workflow uses a GitHub App for auth. Set these repo-level values:
 
-| Secret | Value |
-|---|---|
-| `APP_CLIENT_ID` | App client ID (`Iv1.xxx`) |
-| `APP_PRIVATE_KEY` | App private key (PEM) |
+| Name | Type | Value |
+|---|---|---|
+| `APP_CLIENT_ID` | Variable | App client ID (`Iv1.xxx`) |
+| `APP_PRIVATE_KEY` | Secret | App private key (PEM) |
 
 ## Running
 
diff --git a/actions-allow-list.yml b/config/actions-allow-list.yml
similarity index 100%
rename from actions-allow-list.yml
rename to config/actions-allow-list.yml
diff --git a/config/custom-repo-roles.yml b/config/custom-repo-roles.yml
new file mode 100644
index 0000000..8f83636
--- /dev/null
+++ b/config/custom-repo-roles.yml
@@ -0,0 +1,37 @@
+# Custom repository roles for joshjohanning-org
+# Sourced from existing roles via API on initial setup
+
+- name: Security Engineers
+  description: ''
+  base-role: maintain
+  permissions:
+    - delete_alerts_code_scanning
+    - resolve_dependabot_alerts
+    - resolve_secret_scanning_alerts
+    - view_dependabot_alerts
+    - view_secret_scanning_alerts
+
+- name: write-plus
+  description: 'Temporary dry-run summary table test'
+  base-role: write
+  permissions:
+    - delete_issue
+    - manage_settings_wiki
+
+- name: write-minus-action-secrets
+  description: ''
+  base-role: triage
+  permissions:
+    - create_discussion_category
+    - edit_discussion_category
+    - read_code_scanning
+    - resolve_dependabot_alerts
+    - view_dependabot_alerts
+    - write_code_scanning
+
+- name: write-plus-secrets
+  description: 'Basically "Write" with the ability to view and manage secrets'
+  base-role: write
+  permissions:
+    - resolve_secret_scanning_alerts
+    - view_secret_scanning_alerts
diff --git a/orgs.yml b/config/orgs.yml
similarity index 100%
rename from orgs.yml
rename to config/orgs.yml
diff --git a/custom-repo-roles.yml b/custom-repo-roles.yml
deleted file mode 100644
index ddf91f3..0000000
--- a/custom-repo-roles.yml
+++ /dev/null
@@ -1,19 +0,0 @@
-# Custom repository roles for joshjohanning-org
-# Sourced from existing roles via API on initial setup
-
-- name: Security Engineers
-  description: ''
-  base_role: maintain
-  permissions:
-    - delete_alerts_code_scanning
-    - resolve_dependabot_alerts
-    - resolve_secret_scanning_alerts
-    - view_dependabot_alerts
-    - view_secret_scanning_alerts
-
-- name: write-plus
-  description: ''
-  base_role: write
-  permissions:
-    - delete_issue
-    - manage_settings_wiki