From 76534b5a094f78db6ebdc5a116d62f8ae68cf3f1 Mon Sep 17 00:00:00 2001
From: Josh Johanning <joshjohanning@github.com>
Date: Wed, 13 May 2026 08:56:38 -0500
Subject: [PATCH 1/7] fix: default dry-run to true on PR/dispatch, use var for
 APP_CLIENT_ID

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/workflows/sync.yml | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml
index 6cb7ddc..e1038ac 100644
--- a/.github/workflows/sync.yml
+++ b/.github/workflows/sync.yml
@@ -1,6 +1,9 @@
 name: Sync Org Settings
 
 on:
+  pull_request:
+    branches:
+      - main
   push:
     branches:
       - main
@@ -11,7 +14,7 @@ on:
       dry-run:
         description: 'Dry run (preview changes without applying)'
         type: boolean
-        default: false
+        default: true
 
 jobs:
   sync:
@@ -28,7 +31,7 @@ jobs:
         id: app-token
         uses: actions/create-github-app-token@v2
         with:
-          app-id: ${{ secrets.APP_CLIENT_ID }}
+          app-id: ${{ vars.APP_CLIENT_ID }}
           private-key: ${{ secrets.APP_PRIVATE_KEY }}
           owner: joshjohanning-org
 
@@ -66,4 +69,4 @@ jobs:
           readers-can-create-discussions: true
           members-can-view-dependency-insights: true
           display-commenter-full-name-setting-enabled: true
-          dry-run: ${{ inputs.dry-run || 'false' }}
+          dry-run: ${{ github.event_name == 'pull_request' || inputs.dry-run == true }}

From 8d8e3d191fa5837d3f755a790b6b25b89ad1d1ba Mon Sep 17 00:00:00 2001
From: Josh Johanning <joshjohanning@github.com>
Date: Wed, 13 May 2026 08:57:15 -0500
Subject: [PATCH 2/7] chore: upgrade actions/checkout to v6 and
 create-github-app-token to v3

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/workflows/sync.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml
index e1038ac..2eea328 100644
--- a/.github/workflows/sync.yml
+++ b/.github/workflows/sync.yml
@@ -25,11 +25,11 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Generate GitHub App Token
         id: app-token
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@v3
         with:
           app-id: ${{ vars.APP_CLIENT_ID }}
           private-key: ${{ secrets.APP_PRIVATE_KEY }}

From a06b57eef539b378fb340a9505f0778a2a81c416 Mon Sep 17 00:00:00 2001
From: Josh Johanning <joshjohanning@github.com>
Date: Wed, 13 May 2026 08:58:09 -0500
Subject: [PATCH 3/7] fix: use base-role (hyphen) in custom-repo-roles.yml

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 custom-repo-roles.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/custom-repo-roles.yml b/custom-repo-roles.yml
index ddf91f3..80e19de 100644
--- a/custom-repo-roles.yml
+++ b/custom-repo-roles.yml
@@ -3,7 +3,7 @@
 
 - name: Security Engineers
   description: ''
-  base_role: maintain
+  base-role: maintain
   permissions:
     - delete_alerts_code_scanning
     - resolve_dependabot_alerts
@@ -13,7 +13,7 @@
 
 - name: write-plus
   description: ''
-  base_role: write
+  base-role: write
   permissions:
     - delete_issue
     - manage_settings_wiki

From 3ee2924281863ee078d6c8855a43e71ab4b22a88 Mon Sep 17 00:00:00 2001
From: Josh Johanning <joshjohanning@github.com>
Date: Wed, 13 May 2026 09:00:15 -0500
Subject: [PATCH 4/7] Update GitHub App token client-id and org description

---
 .github/workflows/sync.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml
index 2eea328..6a7425d 100644
--- a/.github/workflows/sync.yml
+++ b/.github/workflows/sync.yml
@@ -31,7 +31,7 @@ jobs:
         id: app-token
         uses: actions/create-github-app-token@v3
         with:
-          app-id: ${{ vars.APP_CLIENT_ID }}
+          client-id: ${{ vars.APP_CLIENT_ID }}
           private-key: ${{ secrets.APP_PRIVATE_KEY }}
           owner: joshjohanning-org
 
@@ -47,7 +47,7 @@ jobs:
           actions-allow-list-file: './actions-allow-list.yml'
           actions-policy-default-workflow-permissions: read
           actions-policy-actions-can-approve-pull-request-reviews: false
-          org-description: "josh's samples"
+          org-description: "@joshjohanning's samples"
           org-location: 'United States of America'
           org-blog: 'https://josh-ops.com'
           default-repository-permission: none

From 5ccd29e52505711e873a196dbf3586fcf0328424 Mon Sep 17 00:00:00 2001
From: Josh Johanning <joshjohanning@github.com>
Date: Wed, 13 May 2026 10:21:08 -0500
Subject: [PATCH 5/7] chore: include all existing custom repository roles

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 custom-repo-roles.yml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/custom-repo-roles.yml b/custom-repo-roles.yml
index 80e19de..f0d195b 100644
--- a/custom-repo-roles.yml
+++ b/custom-repo-roles.yml
@@ -17,3 +17,21 @@
   permissions:
     - delete_issue
     - manage_settings_wiki
+
+- name: write-minus-action-secrets
+  description: ''
+  base-role: triage
+  permissions:
+    - create_discussion_category
+    - edit_discussion_category
+    - read_code_scanning
+    - resolve_dependabot_alerts
+    - view_dependabot_alerts
+    - write_code_scanning
+
+- name: write-plus-secrets
+  description: 'Basically "Write" with the ability to view and manage secrets'
+  base-role: write
+  permissions:
+    - resolve_secret_scanning_alerts
+    - view_secret_scanning_alerts

From fb5261b9af1228ed37f7c196e686534feddea657 Mon Sep 17 00:00:00 2001
From: Josh Johanning <joshjohanning@github.com>
Date: Wed, 13 May 2026 10:36:41 -0500
Subject: [PATCH 6/7] test: simulate custom repo role change for dry-run
 summary

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 custom-repo-roles.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/custom-repo-roles.yml b/custom-repo-roles.yml
index f0d195b..8f83636 100644
--- a/custom-repo-roles.yml
+++ b/custom-repo-roles.yml
@@ -12,7 +12,7 @@
     - view_secret_scanning_alerts
 
 - name: write-plus
-  description: ''
+  description: 'Temporary dry-run summary table test'
   base-role: write
   permissions:
     - delete_issue

From 2d7ae9349e0e86ee65bdadd19ad5c95589acb7ef Mon Sep 17 00:00:00 2001
From: Josh Johanning <joshjohanning@github.com>
Date: Wed, 13 May 2026 10:38:14 -0500
Subject: [PATCH 7/7] chore: move org settings config files under config

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/workflows/sync.yml                         |  6 +++---
 README.md                                          | 14 +++++++-------
 .../actions-allow-list.yml                         |  0
 .../custom-repo-roles.yml                          |  0
 orgs.yml => config/orgs.yml                        |  0
 5 files changed, 10 insertions(+), 10 deletions(-)
 rename actions-allow-list.yml => config/actions-allow-list.yml (100%)
 rename custom-repo-roles.yml => config/custom-repo-roles.yml (100%)
 rename orgs.yml => config/orgs.yml (100%)

diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml
index 6a7425d..99e9efd 100644
--- a/.github/workflows/sync.yml
+++ b/.github/workflows/sync.yml
@@ -39,12 +39,12 @@ jobs:
         uses: joshjohanning/bulk-github-org-settings-sync-action@v1
         with:
           github-token: ${{ steps.app-token.outputs.token }}
-          organizations-file: './orgs.yml'
-          custom-repo-roles-file: './custom-repo-roles.yml'
+          organizations-file: './config/orgs.yml'
+          custom-repo-roles-file: './config/custom-repo-roles.yml'
           actions-policy-allowed-actions: selected
           actions-policy-github-owned-allowed: true
           actions-policy-verified-allowed: true
-          actions-allow-list-file: './actions-allow-list.yml'
+          actions-allow-list-file: './config/actions-allow-list.yml'
           actions-policy-default-workflow-permissions: read
           actions-policy-actions-can-approve-pull-request-reviews: false
           org-description: "@joshjohanning's samples"
diff --git a/README.md b/README.md
index 719fb39..7e79e7f 100644
--- a/README.md
+++ b/README.md
@@ -8,17 +8,17 @@ Manages GitHub organization settings for `joshjohanning-org` using [bulk-github-
 |---|---|
 | Member privileges | Inline in workflow |
 | Org profile | Inline in workflow |
-| Actions policy | `actions-allow-list.yml` |
-| Custom repo roles | `custom-repo-roles.yml` |
+| Actions policy | `config/actions-allow-list.yml` |
+| Custom repo roles | `config/custom-repo-roles.yml` |
 
 ## Setup
 
-The workflow uses a GitHub App for auth. Set these secrets on the repo:
+The workflow uses a GitHub App for auth. Set these repo-level values:
 
-| Secret | Value |
-|---|---|
-| `APP_CLIENT_ID` | App client ID (`Iv1.xxx`) |
-| `APP_PRIVATE_KEY` | App private key (PEM) |
+| Name | Type | Value |
+|---|---|---|
+| `APP_CLIENT_ID` | Variable | App client ID (`Iv1.xxx`) |
+| `APP_PRIVATE_KEY` | Secret | App private key (PEM) |
 
 ## Running
 
diff --git a/actions-allow-list.yml b/config/actions-allow-list.yml
similarity index 100%
rename from actions-allow-list.yml
rename to config/actions-allow-list.yml
diff --git a/custom-repo-roles.yml b/config/custom-repo-roles.yml
similarity index 100%
rename from custom-repo-roles.yml
rename to config/custom-repo-roles.yml
diff --git a/orgs.yml b/config/orgs.yml
similarity index 100%
rename from orgs.yml
rename to config/orgs.yml