From a8061684d7768171d6010d3cd4b1278009b2a9d2 Mon Sep 17 00:00:00 2001 From: Josh Johanning Date: Sun, 17 May 2026 13:24:30 -0500 Subject: [PATCH 1/3] Add additional org sync configs - Add issue types, code security configs, and selected rulesets - Wire new config files in orgs.yml - Add commented delete-unmanaged options - Switch org profile key from org-blog to org-url Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- config/code-security-configurations.yml | 34 +++++++++++++ config/issue-types.yml | 28 ++++++++++ .../block-security-checks-updating.json | 20 ++++++++ .../how-many-prs-without-approval.json | 30 +++++++++++ config/rulesets/jira-checker.json | 32 ++++++++++++ config/rulesets/no-exe.json | 19 +++++++ .../rulesets/prevent-excluding-secrets.json | 26 ++++++++++ config/rulesets/require-pr.json | 35 +++++++++++++ config/rulesets/require-signed-commits.json | 21 ++++++++ .../required-workflow-dependency-review.json | 48 +++++++++++++++++ config/rulesets/security-checks.json | 51 +++++++++++++++++++ orgs.yml | 21 +++++++- 12 files changed, 364 insertions(+), 1 deletion(-) create mode 100644 config/code-security-configurations.yml create mode 100644 config/issue-types.yml create mode 100644 config/rulesets/block-security-checks-updating.json create mode 100644 config/rulesets/how-many-prs-without-approval.json create mode 100644 config/rulesets/jira-checker.json create mode 100644 config/rulesets/no-exe.json create mode 100644 config/rulesets/prevent-excluding-secrets.json create mode 100644 config/rulesets/require-pr.json create mode 100644 config/rulesets/require-signed-commits.json create mode 100644 config/rulesets/required-workflow-dependency-review.json create mode 100644 config/rulesets/security-checks.json diff --git a/config/code-security-configurations.yml b/config/code-security-configurations.yml new file mode 100644 index 0000000..b11685e --- /dev/null +++ b/config/code-security-configurations.yml @@ -0,0 +1,34 @@ +# Code security configurations synced to target organizations +# Configurations are matched by name (update if exists, create otherwise). +# Captured from joshjohanning-org current state (org-scoped configs only; +# enterprise/global configs are managed at a higher level). +# +# Skipped: "tes" (appears to be a throwaway test config). + +- name: Legacy + description: 'Your previous organization settings for new repositories, as of March 2024' + advanced_security: enabled + dependency_graph: enabled + secret_scanning: enabled + secret_scanning_push_protection: enabled + enforcement: unenforced + +- name: Dependabot-only + description: 'Dependabot-only' + advanced_security: enabled + dependency_graph: enabled + dependabot_alerts: enabled + enforcement: enforced + +- name: "Josh's configuration" + description: 'sample' + advanced_security: enabled + dependency_graph: enabled + dependabot_alerts: enabled + code_scanning_default_setup: enabled + secret_scanning: enabled + secret_scanning_push_protection: enabled + secret_scanning_validity_checks: enabled + secret_scanning_extended_metadata: enabled + private_vulnerability_reporting: enabled + enforcement: enforced diff --git a/config/issue-types.yml b/config/issue-types.yml new file mode 100644 index 0000000..30de54c --- /dev/null +++ b/config/issue-types.yml @@ -0,0 +1,28 @@ +# Issue type definitions synced to target organizations +# See: https://docs.github.com/en/rest/orgs/issue-types +# Captured from joshjohanning-org current state. + +- name: Task + description: 'A specific piece of work' + color: yellow + is_enabled: true + +- name: Bug + description: 'An unexpected problem or behavior' + color: red + is_enabled: true + +- name: Feature + description: 'A request, idea, or new functionality' + color: purple + is_enabled: true + +- name: User Story + description: 'A requirement' + color: blue + is_enabled: true + +- name: Epic + description: 'A vision' + color: orange + is_enabled: true diff --git a/config/rulesets/block-security-checks-updating.json b/config/rulesets/block-security-checks-updating.json new file mode 100644 index 0000000..07c3298 --- /dev/null +++ b/config/rulesets/block-security-checks-updating.json @@ -0,0 +1,20 @@ +{ + "name": "Block security checks updating", + "target": "push", + "enforcement": "active", + "conditions": { + "repository_name": { + "exclude": [], + "include": ["repo-rules-security-*"] + } + }, + "rules": [ + { + "type": "file_path_restriction", + "parameters": { + "restricted_file_paths": [".github/workflows/security-checks.yml"] + } + } + ], + "bypass_actors": [] +} diff --git a/config/rulesets/how-many-prs-without-approval.json b/config/rulesets/how-many-prs-without-approval.json new file mode 100644 index 0000000..77bed17 --- /dev/null +++ b/config/rulesets/how-many-prs-without-approval.json @@ -0,0 +1,30 @@ +{ + "name": "How-many-prs-without-approval", + "target": "branch", + "enforcement": "evaluate", + "conditions": { + "ref_name": { + "exclude": [], + "include": ["~DEFAULT_BRANCH"] + }, + "repository_name": { + "exclude": [], + "include": ["~ALL"] + } + }, + "rules": [ + { + "type": "pull_request", + "parameters": { + "required_approving_review_count": 1, + "dismiss_stale_reviews_on_push": false, + "required_reviewers": [], + "require_code_owner_review": false, + "require_last_push_approval": false, + "required_review_thread_resolution": false, + "allowed_merge_methods": ["merge", "squash", "rebase"] + } + } + ], + "bypass_actors": [] +} diff --git a/config/rulesets/jira-checker.json b/config/rulesets/jira-checker.json new file mode 100644 index 0000000..4d34211 --- /dev/null +++ b/config/rulesets/jira-checker.json @@ -0,0 +1,32 @@ +{ + "name": "jira-checker", + "target": "branch", + "enforcement": "active", + "conditions": { + "repository_id": { + "repository_ids": [820921852] + }, + "ref_name": { + "exclude": [], + "include": ["~ALL"] + } + }, + "rules": [ + { + "type": "deletion" + }, + { + "type": "non_fast_forward" + }, + { + "type": "commit_message_pattern", + "parameters": { + "operator": "starts_with", + "pattern": "ABC-", + "negate": false, + "name": "" + } + } + ], + "bypass_actors": [] +} diff --git a/config/rulesets/no-exe.json b/config/rulesets/no-exe.json new file mode 100644 index 0000000..076868e --- /dev/null +++ b/config/rulesets/no-exe.json @@ -0,0 +1,19 @@ +{ + "name": "no exe", + "target": "push", + "enforcement": "evaluate", + "conditions": { + "repository_id": { + "repository_ids": [820921852] + } + }, + "rules": [ + { + "type": "file_extension_restriction", + "parameters": { + "restricted_file_extensions": ["*.exe"] + } + } + ], + "bypass_actors": [] +} diff --git a/config/rulesets/prevent-excluding-secrets.json b/config/rulesets/prevent-excluding-secrets.json new file mode 100644 index 0000000..3834388 --- /dev/null +++ b/config/rulesets/prevent-excluding-secrets.json @@ -0,0 +1,26 @@ +{ + "name": "prevent ppl from excluding secrets", + "target": "push", + "enforcement": "active", + "conditions": { + "repository_property": { + "exclude": [], + "include": [] + } + }, + "rules": [ + { + "type": "file_path_restriction", + "parameters": { + "restricted_file_paths": [".github/secret_scanning.yml"] + } + } + ], + "bypass_actors": [ + { + "actor_id": null, + "actor_type": "OrganizationAdmin", + "bypass_mode": "always" + } + ] +} diff --git a/config/rulesets/require-pr.json b/config/rulesets/require-pr.json new file mode 100644 index 0000000..6f18943 --- /dev/null +++ b/config/rulesets/require-pr.json @@ -0,0 +1,35 @@ +{ + "name": "require-pr", + "target": "branch", + "enforcement": "evaluate", + "conditions": { + "repository_name": { + "exclude": [], + "include": ["~ALL"] + }, + "ref_name": { + "exclude": [], + "include": ["~DEFAULT_BRANCH"] + } + }, + "rules": [ + { + "type": "deletion" + }, + { + "type": "non_fast_forward" + }, + { + "type": "pull_request", + "parameters": { + "required_approving_review_count": 1, + "dismiss_stale_reviews_on_push": false, + "require_code_owner_review": false, + "require_last_push_approval": false, + "required_review_thread_resolution": false, + "allowed_merge_methods": ["merge", "squash", "rebase"] + } + } + ], + "bypass_actors": [] +} diff --git a/config/rulesets/require-signed-commits.json b/config/rulesets/require-signed-commits.json new file mode 100644 index 0000000..b9aedbb --- /dev/null +++ b/config/rulesets/require-signed-commits.json @@ -0,0 +1,21 @@ +{ + "name": "require-signed-commits", + "target": "branch", + "enforcement": "evaluate", + "conditions": { + "repository_name": { + "exclude": [], + "include": ["~ALL"] + }, + "ref_name": { + "exclude": [], + "include": ["~DEFAULT_BRANCH"] + } + }, + "rules": [ + { + "type": "required_signatures" + } + ], + "bypass_actors": [] +} diff --git a/config/rulesets/required-workflow-dependency-review.json b/config/rulesets/required-workflow-dependency-review.json new file mode 100644 index 0000000..222d01f --- /dev/null +++ b/config/rulesets/required-workflow-dependency-review.json @@ -0,0 +1,48 @@ +{ + "name": "Required workflow: Dependency Review", + "target": "branch", + "enforcement": "evaluate", + "conditions": { + "ref_name": { + "exclude": [], + "include": ["refs/heads/main"] + }, + "repository_property": { + "exclude": [ + { + "name": "visibility", + "source": "system", + "property_values": ["public"] + } + ], + "include": [] + } + }, + "rules": [ + { + "type": "workflows", + "parameters": { + "do_not_enforce_on_create": true, + "workflows": [ + { + "repository_id": 597081278, + "path": ".github/workflows/dependency-review.yml", + "ref": "refs/heads/main" + } + ] + } + } + ], + "bypass_actors": [ + { + "actor_id": null, + "actor_type": "OrganizationAdmin", + "bypass_mode": "always" + }, + { + "actor_id": 5, + "actor_type": "RepositoryRole", + "bypass_mode": "always" + } + ] +} diff --git a/config/rulesets/security-checks.json b/config/rulesets/security-checks.json new file mode 100644 index 0000000..61078a5 --- /dev/null +++ b/config/rulesets/security-checks.json @@ -0,0 +1,51 @@ +{ + "name": "security-checks", + "target": "branch", + "enforcement": "active", + "conditions": { + "repository_name": { + "exclude": [], + "include": ["repo-rules-security-checks-*"] + }, + "ref_name": { + "exclude": [], + "include": ["~DEFAULT_BRANCH"] + } + }, + "rules": [ + { + "type": "deletion" + }, + { + "type": "non_fast_forward" + }, + { + "type": "required_status_checks", + "parameters": { + "strict_required_status_checks_policy": false, + "required_status_checks": [ + { + "context": "security / security-checks" + } + ] + } + } + ], + "bypass_actors": [ + { + "actor_id": null, + "actor_type": "OrganizationAdmin", + "bypass_mode": "always" + }, + { + "actor_id": 5, + "actor_type": "RepositoryRole", + "bypass_mode": "always" + }, + { + "actor_id": 5675129, + "actor_type": "Team", + "bypass_mode": "always" + } + ] +} diff --git a/orgs.yml b/orgs.yml index 7313187..bb35d53 100644 --- a/orgs.yml +++ b/orgs.yml @@ -3,16 +3,35 @@ orgs: custom-properties-file: './config/custom-properties.yml' custom-repo-roles-file: './config/custom-repo-roles.yml' actions-allow-list-file: './config/actions-allow-list.yml' + issue-types-file: './config/issue-types.yml' + code-security-configurations-file: './config/code-security-configurations.yml' + rulesets-file: + - './config/rulesets/block-security-checks-updating.json' + - './config/rulesets/how-many-prs-without-approval.json' + - './config/rulesets/jira-checker.json' + - './config/rulesets/no-exe.json' + - './config/rulesets/prevent-excluding-secrets.json' + - './config/rulesets/require-pr.json' + - './config/rulesets/require-signed-commits.json' + - './config/rulesets/required-workflow-dependency-review.json' + - './config/rulesets/security-checks.json' actions-policy: allowed-actions: selected github-owned-allowed: true verified-allowed: true default-workflow-permissions: read actions-can-approve-pull-request-reviews: false + # --- Drift control: uncomment to delete resources not defined in config --- + # delete-unmanaged-properties: true + # delete-unmanaged-issue-types: true + # delete-unmanaged-rulesets: true + # delete-unmanaged-code-security-configurations: true + # delete-unmanaged-org-roles: true + # delete-unmanaged-repo-roles: true org-profile: org-description: "@joshjohanning's samples" org-location: 'United States of America' - org-blog: 'https://josh-ops.com' + org-url: 'https://josh-ops.com' member-privileges: default-repository-permission: none members-can-create-repositories: false From 6fb86d42aecb7e3f42db11e44c1fe5be7b73444f Mon Sep 17 00:00:00 2001 From: Josh Johanning Date: Sun, 17 May 2026 13:37:38 -0500 Subject: [PATCH 2/3] Fix issue type color values Use 6-character hex color values expected by the sync action. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- config/issue-types.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/config/issue-types.yml b/config/issue-types.yml index 30de54c..e524f83 100644 --- a/config/issue-types.yml +++ b/config/issue-types.yml @@ -4,25 +4,25 @@ - name: Task description: 'A specific piece of work' - color: yellow + color: fbca04 is_enabled: true - name: Bug description: 'An unexpected problem or behavior' - color: red + color: d73a4a is_enabled: true - name: Feature description: 'A request, idea, or new functionality' - color: purple + color: a371f7 is_enabled: true - name: User Story description: 'A requirement' - color: blue + color: 0075ca is_enabled: true - name: Epic description: 'A vision' - color: orange + color: ffbf00 is_enabled: true From dc2df75404359188fb32b98c21f4a8d25544e3f4 Mon Sep 17 00:00:00 2001 From: Josh Johanning Date: Sun, 17 May 2026 13:46:45 -0500 Subject: [PATCH 3/3] Use named issue type colors Switch issue type colors back to GitHub-supported named enum values. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- config/issue-types.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/config/issue-types.yml b/config/issue-types.yml index e524f83..30de54c 100644 --- a/config/issue-types.yml +++ b/config/issue-types.yml @@ -4,25 +4,25 @@ - name: Task description: 'A specific piece of work' - color: fbca04 + color: yellow is_enabled: true - name: Bug description: 'An unexpected problem or behavior' - color: d73a4a + color: red is_enabled: true - name: Feature description: 'A request, idea, or new functionality' - color: a371f7 + color: purple is_enabled: true - name: User Story description: 'A requirement' - color: 0075ca + color: blue is_enabled: true - name: Epic description: 'A vision' - color: ffbf00 + color: orange is_enabled: true