Add issue types, code security configs, and ruleset sync

config/code-security-configurations.yml

@@ -0,0 +1,34 @@
+# Code security configurations synced to target organizations
+# Configurations are matched by name (update if exists, create otherwise).
+# Captured from joshjohanning-org current state (org-scoped configs only;
+# enterprise/global configs are managed at a higher level).
+#
+# Skipped: "tes" (appears to be a throwaway test config).
+
+- name: Legacy
+  description: 'Your previous organization settings for new repositories, as of March 2024'
+  advanced_security: enabled
+  dependency_graph: enabled
+  secret_scanning: enabled
+  secret_scanning_push_protection: enabled
+  enforcement: unenforced
+
+- name: Dependabot-only
+  description: 'Dependabot-only'
+  advanced_security: enabled
+  dependency_graph: enabled
+  dependabot_alerts: enabled
+  enforcement: enforced
+
+- name: "Josh's configuration"
+  description: 'sample'
+  advanced_security: enabled
+  dependency_graph: enabled
+  dependabot_alerts: enabled
+  code_scanning_default_setup: enabled
+  secret_scanning: enabled
+  secret_scanning_push_protection: enabled
+  secret_scanning_validity_checks: enabled
+  secret_scanning_extended_metadata: enabled
+  private_vulnerability_reporting: enabled
+  enforcement: enforced

config/issue-types.yml

@@ -0,0 +1,28 @@
+# Issue type definitions synced to target organizations
+# See: https://docs.github.com/en/rest/orgs/issue-types
+# Captured from joshjohanning-org current state.
+
+- name: Task
+  description: 'A specific piece of work'
+  color: yellow
+  is_enabled: true
+
+- name: Bug
+  description: 'An unexpected problem or behavior'
+  color: red
+  is_enabled: true
+
+- name: Feature
+  description: 'A request, idea, or new functionality'
+  color: purple
+  is_enabled: true
+
+- name: User Story
+  description: 'A requirement'
+  color: blue
+  is_enabled: true
+
+- name: Epic
+  description: 'A vision'
+  color: orange
+  is_enabled: true

config/rulesets/block-security-checks-updating.json

@@ -0,0 +1,20 @@
+{
+  "name": "Block security checks updating",
+  "target": "push",
+  "enforcement": "active",
+  "conditions": {
+    "repository_name": {
+      "exclude": [],
+      "include": ["repo-rules-security-*"]
+    }
+  },
+  "rules": [
+    {
+      "type": "file_path_restriction",
+      "parameters": {
+        "restricted_file_paths": [".github/workflows/security-checks.yml"]
+      }
+    }
+  ],
+  "bypass_actors": []
+}

config/rulesets/how-many-prs-without-approval.json

@@ -0,0 +1,30 @@
+{
+  "name": "How-many-prs-without-approval",
+  "target": "branch",
+  "enforcement": "evaluate",
+  "conditions": {
+    "ref_name": {
+      "exclude": [],
+      "include": ["~DEFAULT_BRANCH"]
+    },
+    "repository_name": {
+      "exclude": [],
+      "include": ["~ALL"]
+    }
+  },
+  "rules": [
+    {
+      "type": "pull_request",
+      "parameters": {
+        "required_approving_review_count": 1,
+        "dismiss_stale_reviews_on_push": false,
+        "required_reviewers": [],
+        "require_code_owner_review": false,
+        "require_last_push_approval": false,
+        "required_review_thread_resolution": false,
+        "allowed_merge_methods": ["merge", "squash", "rebase"]
+      }
+    }
+  ],
+  "bypass_actors": []
+}

config/rulesets/jira-checker.json

@@ -0,0 +1,32 @@
+{
+  "name": "jira-checker",
+  "target": "branch",
+  "enforcement": "active",
+  "conditions": {
+    "repository_id": {
+      "repository_ids": [820921852]
+    },
+    "ref_name": {
+      "exclude": [],
+      "include": ["~ALL"]
+    }
+  },
+  "rules": [
+    {
+      "type": "deletion"
+    },
+    {
+      "type": "non_fast_forward"
+    },
+    {
+      "type": "commit_message_pattern",
+      "parameters": {
+        "operator": "starts_with",
+        "pattern": "ABC-",
+        "negate": false,
+        "name": ""
+      }
+    }
+  ],
+  "bypass_actors": []
+}

config/rulesets/no-exe.json

@@ -0,0 +1,19 @@
+{
+  "name": "no exe",
+  "target": "push",
+  "enforcement": "evaluate",
+  "conditions": {
+    "repository_id": {
+      "repository_ids": [820921852]
+    }
+  },
+  "rules": [
+    {
+      "type": "file_extension_restriction",
+      "parameters": {
+        "restricted_file_extensions": ["*.exe"]
+      }
+    }
+  ],
+  "bypass_actors": []
+}

config/rulesets/prevent-excluding-secrets.json

@@ -0,0 +1,26 @@
+{
+  "name": "prevent ppl from excluding secrets",
+  "target": "push",
+  "enforcement": "active",
+  "conditions": {
+    "repository_property": {
+      "exclude": [],
+      "include": []
+    }
+  },
+  "rules": [
+    {
+      "type": "file_path_restriction",
+      "parameters": {
+        "restricted_file_paths": [".github/secret_scanning.yml"]
+      }
+    }
+  ],
+  "bypass_actors": [
+    {
+      "actor_id": null,
+      "actor_type": "OrganizationAdmin",
+      "bypass_mode": "always"
+    }
+  ]
+}

config/rulesets/require-pr.json

@@ -0,0 +1,35 @@
+{
+  "name": "require-pr",
+  "target": "branch",
+  "enforcement": "evaluate",
+  "conditions": {
+    "repository_name": {
+      "exclude": [],
+      "include": ["~ALL"]
+    },
+    "ref_name": {
+      "exclude": [],
+      "include": ["~DEFAULT_BRANCH"]
+    }
+  },
+  "rules": [
+    {
+      "type": "deletion"
+    },
+    {
+      "type": "non_fast_forward"
+    },
+    {
+      "type": "pull_request",
+      "parameters": {
+        "required_approving_review_count": 1,
+        "dismiss_stale_reviews_on_push": false,
+        "require_code_owner_review": false,
+        "require_last_push_approval": false,
+        "required_review_thread_resolution": false,
+        "allowed_merge_methods": ["merge", "squash", "rebase"]
+      }
+    }
+  ],
+  "bypass_actors": []
+}

config/rulesets/require-signed-commits.json

@@ -0,0 +1,21 @@
+{
+  "name": "require-signed-commits",
+  "target": "branch",
+  "enforcement": "evaluate",
+  "conditions": {
+    "repository_name": {
+      "exclude": [],
+      "include": ["~ALL"]
+    },
+    "ref_name": {
+      "exclude": [],
+      "include": ["~DEFAULT_BRANCH"]
+    }
+  },
+  "rules": [
+    {
+      "type": "required_signatures"
+    }
+  ],
+  "bypass_actors": []
+}

config/rulesets/required-workflow-dependency-review.json

@@ -0,0 +1,48 @@
+{
+  "name": "Required workflow: Dependency Review",
+  "target": "branch",
+  "enforcement": "evaluate",
+  "conditions": {
+    "ref_name": {
+      "exclude": [],
+      "include": ["refs/heads/main"]
+    },
+    "repository_property": {
+      "exclude": [
+        {
+          "name": "visibility",
+          "source": "system",
+          "property_values": ["public"]
+        }
+      ],
+      "include": []
+    }
+  },
+  "rules": [
+    {
+      "type": "workflows",
+      "parameters": {
+        "do_not_enforce_on_create": true,
+        "workflows": [
+          {
+            "repository_id": 597081278,
+            "path": ".github/workflows/dependency-review.yml",
+            "ref": "refs/heads/main"
+          }
+        ]
+      }
+    }
+  ],
+  "bypass_actors": [
+    {
+      "actor_id": null,
+      "actor_type": "OrganizationAdmin",
+      "bypass_mode": "always"
+    },
+    {
+      "actor_id": 5,
+      "actor_type": "RepositoryRole",
+      "bypass_mode": "always"
+    }
+  ]
+}

config/rulesets/security-checks.json

@@ -0,0 +1,51 @@
+{
+  "name": "security-checks",
+  "target": "branch",
+  "enforcement": "active",
+  "conditions": {
+    "repository_name": {
+      "exclude": [],
+      "include": ["repo-rules-security-checks-*"]
+    },
+    "ref_name": {
+      "exclude": [],
+      "include": ["~DEFAULT_BRANCH"]
+    }
+  },
+  "rules": [
+    {
+      "type": "deletion"
+    },
+    {
+      "type": "non_fast_forward"
+    },
+    {
+      "type": "required_status_checks",
+      "parameters": {
+        "strict_required_status_checks_policy": false,
+        "required_status_checks": [
+          {
+            "context": "security / security-checks"
+          }
+        ]
+      }
+    }
+  ],
+  "bypass_actors": [
+    {
+      "actor_id": null,
+      "actor_type": "OrganizationAdmin",
+      "bypass_mode": "always"
+    },
+    {
+      "actor_id": 5,
+      "actor_type": "RepositoryRole",
+      "bypass_mode": "always"
+    },
+    {
+      "actor_id": 5675129,
+      "actor_type": "Team",
+      "bypass_mode": "always"
+    }
+  ]
+}

orgs.yml

@@ -3,16 +3,35 @@ orgs:
     custom-properties-file: './config/custom-properties.yml'
     custom-repo-roles-file: './config/custom-repo-roles.yml'
     actions-allow-list-file: './config/actions-allow-list.yml'
+    issue-types-file: './config/issue-types.yml'
+    code-security-configurations-file: './config/code-security-configurations.yml'
+    rulesets-file:
+      - './config/rulesets/block-security-checks-updating.json'
+      - './config/rulesets/how-many-prs-without-approval.json'
+      - './config/rulesets/jira-checker.json'
+      - './config/rulesets/no-exe.json'
+      - './config/rulesets/prevent-excluding-secrets.json'
+      - './config/rulesets/require-pr.json'
+      - './config/rulesets/require-signed-commits.json'
+      - './config/rulesets/required-workflow-dependency-review.json'
+      - './config/rulesets/security-checks.json'
     actions-policy:
       allowed-actions: selected
       github-owned-allowed: true
       verified-allowed: true
       default-workflow-permissions: read
       actions-can-approve-pull-request-reviews: false
+    # --- Drift control: uncomment to delete resources not defined in config ---
+    # delete-unmanaged-properties: true
+    # delete-unmanaged-issue-types: true
+    # delete-unmanaged-rulesets: true
+    # delete-unmanaged-code-security-configurations: true
+    # delete-unmanaged-org-roles: true
+    # delete-unmanaged-repo-roles: true
     org-profile:
       org-description: "@joshjohanning's samples"
       org-location: 'United States of America'
-      org-blog: 'https://josh-ops.com'
+      org-url: 'https://josh-ops.com'
     member-privileges:
       default-repository-permission: none
       members-can-create-repositories: false