chore: import Env Variable and Fork Update

.eslintrc.json

@@ -8,9 +8,16 @@
         "standard"
     ],
     "parserOptions": {
-        "ecmaVersion": 12
+        "ecmaVersion": 13
     },
     "rules": {
     },
-    "ignorePatterns": ["test/**/*.js"]
+    "overrides": [
+        {
+            "files": ["test/**/*.js"],
+            "env": {
+                "jest": true
+            }
+        }
+    ]
 }

.github/workflows/create-pre-release.yml

@@ -31,6 +31,10 @@ env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
 
+permissions:
+  contents: write
+  packages: write
+
 jobs:
   build:
     if: ${{ github.actor != 'dependabot'}}
@@ -46,15 +50,15 @@ jobs:
           cache: 'npm'
       - run: npm install
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5
       - name: Log in to the Container registry
-        uses: docker/login-action@v3 
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image Locally
-        uses: docker/build-push-action@master
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355
         with:
           context: .
           file: ./Dockerfile
@@ -73,15 +77,15 @@ jobs:
       - run: echo "${{ github.ref }}"
       - name: Tag a final release 
         id: prerelease
-        uses: actionsdesk/semver@0.6.0-rc.10
+        uses: actionsdesk/semver@82aa4310e4e21c59cd0020007a4278e733e81dcb
         with:
           bump: ${{ inputs.bump }}
           prerelease: ${{ inputs.prerelease }}
           prelabel: ${{ inputs.prelabel }}
           commitish: ${{ github.ref }}
       - name: Push Docker Image
         if: ${{ success() }}
-        uses: docker/build-push-action@master
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355
         with:
           context: .
           file: ./Dockerfile

.github/workflows/create-release.yml

@@ -9,6 +9,10 @@ env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
 
+permissions:
+  contents: write
+  packages: write
+
 jobs:
   build:
     if: ${{ github.actor != 'dependabot'}}
@@ -24,15 +28,15 @@ jobs:
           cache: "npm"
       - run: npm install
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5
       - name: Log in to the Container registry
-        uses: docker/login-action@v3 
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image Locally
-        uses: docker/build-push-action@master
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355
         with:
           context: .
           file: ./Dockerfile
@@ -50,12 +54,12 @@ jobs:
           curl http://localhost:3000
       - name: Tag a final release
         id: finalrelease
-        uses: actionsdesk/semver@0.6.0-rc.10
+        uses: actionsdesk/semver@82aa4310e4e21c59cd0020007a4278e733e81dcb
         with:
           bump: final
       - name: Push Docker Image
         if: ${{ success() }}
-        uses: docker/build-push-action@master
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355
         with:
           context: .
           file: ./Dockerfile

.github/workflows/deploy-k8s.yml

@@ -29,35 +29,35 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
-      - uses: azure/login@v1
+      - uses: azure/login@a65d910e8af852a8061c627c456678983e180302
         with:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} 
-      - uses: azure/aks-set-context@v3
+      - uses: azure/aks-set-context@feeca6405be94202afcb1c395616ff29b1811b9f
         with:
           resource-group: ${{env.AZURE_RESOURCE_GROUP}}
           cluster-name: ${{env.AZURE_AKS_CLUSTER}}
         id: login
       - run: |
           kubectl get deployment
       - name: app-env
-        uses: azure/k8s-create-secret@v4
+        uses: azure/k8s-create-secret@6e0ba8047235646753f2a3a3b359b4d0006ff218
         with:
           namespace: 'default'
           secret-type: 'generic'
           arguments:  --from-literal=APP_ID=${{ secrets.APP_ID }} --from-literal=PRIVATE_KEY=${{ secrets.PRIVATE_KEY }} --from-literal=WEBHOOK_SECRET=${{ secrets.WEBHOOK_SECRET }}
           secret-name: app-env
       - name: Set imagePullSecret
-        uses: azure/k8s-create-secret@v4
+        uses: azure/k8s-create-secret@6e0ba8047235646753f2a3a3b359b4d0006ff218
         with:
           namespace: ${{env.AZURE_AKS_NAMESPACE}}
           container-registry-url: ${{env.IMAGE_REGISTRY_URL}}
           container-registry-username: ${{ secrets.DOCKER_USERNAME }}
           container-registry-password: ${{ secrets.DOCKER_PASSWORD }}
           secret-name: 'image-pull-secret'
         id: create-secret
-      - uses: Azure/k8s-deploy@v4.10
+      - uses: Azure/k8s-deploy@v5
         with:
           namespace: ${{env.AZURE_AKS_NAMESPACE}}
           manifests: |

.github/workflows/node-ci.yml

@@ -2,6 +2,9 @@ name: Node.js CI
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true

.github/workflows/rc-release.yml

@@ -35,7 +35,7 @@ jobs:
     - name: Tag a rc release 
       if: ${{ !github.event.pull_request.head.repo.fork }}
       id: rcrelease
-      uses: actionsdesk/semver@0.6.0-rc.10
+      uses: actionsdesk/semver@82aa4310e4e21c59cd0020007a4278e733e81dcb
       with:
         prerelease: withBuildNumber
         prelabel: rc
@@ -60,23 +60,23 @@ jobs:
       - run: echo ${{ github.actor }}
 
       - name: Log in to the Container registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Extract metadata
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96
         with:
           images: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5
       - name: Build and push Docker image
-        uses: docker/build-push-action@master
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355
         with:
           context: .
           push: true

README.md

@@ -290,7 +290,21 @@ The following can be configured:
 - `Rulesets`
 - `Environments` - wait timer, required reviewers, prevent self review, protected branches deployment branch policy, custom deployment branch policy, variables, deployment protection rules
 
-It is possible to provide an `include` or `exclude` settings to restrict the `collaborators`, `teams`, `labels` to a list of repos or exclude a set of repos for a collaborator.
+> [!important]
+> It is possible to provide an `include` or `exclude` settings to restrict the `collaborators`, `teams`, `labels` to a list of repos or exclude a set of repos for a collaborator. 
+> The include/exclude pattern can also be for glob. For e.g.:
+```
+teams:
+  - name: Myteam-admins
+    permission: admin
+  - name: Myteam-developers
+    permission: push
+  - name: Other-team
+    permission: push
+    include:
+      - '*-config'
+```
+> Will only add `Other-team` to only `*-config` repos
 
 See [`docs/sample-settings/settings.yml`](docs/sample-settings/settings.yml) for a sample settings file.
 
@@ -368,7 +382,7 @@ You can pass environment variables; the easiest way to do it is via a `.env` fil
 
 ## How to use
 
-1. Create an `admin` repo (or an alternative of your choosing) within your organization. Remember to set `CONFIG_REPO` if you choose something other than `admin`. See [Environment variables](#environment-variables) for more details.
+1. Create an `admin` repo (or an alternative of your choosing) within your organization. Remember to set `ADMIN_REPO` if you choose something other than `admin`. See [Environment variables](#environment-variables) for more details.
 
 2. Add the settings for the `org`, `suborgs`, and `repos`. Sample files can be found [here](docs/sample-settings).
 

full-sync.js

@@ -1,6 +1,8 @@
 const { createProbot } = require('probot')
 const appFn = require('./')
 
+require('dotenv').config()
+
 const probot = createProbot()
 probot.log.info('Starting full sync.')
 const app = appFn(probot, {})

index.js

@@ -9,9 +9,7 @@ const env = require('./lib/env')
 
 let deploymentConfig
 
-
 module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) => {
-  let appName = 'safe-settings'
   let appSlug = 'safe-settings'
   async function syncAllSettings (nop, context, repo = context.repo(), ref) {
     try {
@@ -101,7 +99,7 @@ module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) =>
       const config = Object.assign({}, deploymentConfig, runtimeConfig)
       const renameConfig = Object.assign({}, config, rename)
       robot.log.debug(`config for ref ${ref} is ${JSON.stringify(config)}`)
-      return Settings.sync(nop, context, repo, renameConfig, ref )
+      return Settings.sync(nop, context, repo, renameConfig, ref)
     } catch (e) {
       if (nop) {
         let filename = env.SETTINGS_FILE_PATH
@@ -217,7 +215,7 @@ module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) =>
     robot.log.debug(JSON.stringify(res, null))
   }
 
-  async function info() {
+  async function info () {
     const github = await robot.auth()
     const installations = await github.paginate(
       github.apps.listInstallations.endpoint.merge({ per_page: 100 })
@@ -227,13 +225,11 @@ module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) =>
       const installation = installations[0]
       const github = await robot.auth(installation.id)
       const app = await github.apps.getAuthenticated()
-      appName = app.data.name
       appSlug = app.data.slug
       robot.log.debug(`Validated the app is configured properly = \n${JSON.stringify(app.data, null, 2)}`)
     }
   }
 
-
   async function syncInstallation () {
     robot.log.trace('Fetching installations')
     const github = await robot.auth()
@@ -395,8 +391,8 @@ module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) =>
   })
 
   robot.on('repository.renamed', async context => {
-    if (env.BLOCK_REPO_RENAME_BY_HUMAN!== 'true') {
-      robot.log.debug(`"env.BLOCK_REPO_RENAME_BY_HUMAN" is 'false' by default. Repo rename is not managed by Safe-settings. Continue with the default behavior.`)
+    if (env.BLOCK_REPO_RENAME_BY_HUMAN !== 'true') {
+      robot.log.debug('"env.BLOCK_REPO_RENAME_BY_HUMAN" is \'false\' by default. Repo rename is not managed by Safe-settings. Continue with the default behavior.')
       return
     }
     const { payload } = context
@@ -414,7 +410,7 @@ module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) =>
       const newPath = `.github/repos/${payload.repository.name}.yml`
       robot.log.debug(oldPath)
       try {
-        const repofile =  await context.octokit.request('GET /repos/{owner}/{repo}/contents/{path}', {
+        const repofile = await context.octokit.request('GET /repos/{owner}/{repo}/contents/{path}', {
           owner: payload.repository.owner.login,
           repo: env.ADMIN_REPO,
           path: oldPath,
@@ -439,12 +435,12 @@ module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) =>
         } catch (error) {
           if (error.status === 404) {
             // if the a config file does not exist, create one from the old one
-            const update = await context.octokit.request('PUT /repos/{owner}/{repo}/contents/{path}', {
+            await context.octokit.request('PUT /repos/{owner}/{repo}/contents/{path}', {
               owner: payload.repository.owner.login,
               repo: env.ADMIN_REPO,
               path: newPath,
-              name:  `${payload.repository.name}.yml`,
-              content: content,
+              name: `${payload.repository.name}.yml`,
+              content,
               message: `Repo Renamed and safe-settings renamed the file from ${payload.changes.repository.name.from} to ${payload.repository.name}`,
               sha: repofile.data.sha,
               headers: {
@@ -455,26 +451,23 @@ module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) =>
           } else {
             robot.log.error(error)
           }
-        } 
-
+        }
       } catch (error) {
         if (error.status === 404) {
-          //nop
-        } else {  
+          // nop
+        } else {
           robot.log.error(error)
         }
-      } 
-      return
+      }
     } else {
       robot.log.debug('Repository Edited by a Human')
       // Create a repository config to reset the name back to the previous name
-      const rename = {repository: { name: payload.changes.repository.name.from, oldname: payload.repository.name}}
-      const repo = {repo: payload.changes.repository.name.from, owner: payload.repository.owner.login}
+      const rename = { repository: { name: payload.changes.repository.name.from, oldname: payload.repository.name } }
+      const repo = { repo: payload.changes.repository.name.from, owner: payload.repository.owner.login }
       return renameSync(false, context, repo, rename)
     }
   })
 
-
   robot.on('check_suite.requested', async context => {
     const { payload } = context
     const { repository } = payload
@@ -663,7 +656,7 @@ module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) =>
       syncInstallation()
     })
   }
-  
+
   // Get info about the app
   info()
 

lib/commentmessage.js

@@ -28,4 +28,4 @@ module.exports = `* Run on: \` <%= new Date() %> \`
     <% }) %>
 
   <% }) %>
-<% } %>`
+<% } %>`