Sync settings and secrets to one or all my repositories #28
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Sync settings and secrets to one or all my repositories | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| type: | |
| description: What type of sync do you want to perform? | |
| required: true | |
| default: "all" | |
| type: choice | |
| options: | |
| - settings | |
| - secrets | |
| - variables | |
| - all | |
| repository: | |
| description: > | |
| Repository to synchronize. Leave empty to run this on every | |
| repo where the alejandrohdezma-steward GitHub App is installed | |
| required: false | |
| default: "" | |
| jobs: | |
| get-repositories: | |
| name: Create repo-matrix depending on whether the `repository` input is filled or not | |
| runs-on: ubuntu-latest | |
| outputs: | |
| repositories: ${{ steps.repositories.outputs.repositories }} | |
| steps: | |
| - name: Get the GitHub App installation token | |
| uses: alejandrohdezma/actions/github-app-token@v1 | |
| id: github_app | |
| with: | |
| token: ${{ secrets.MANAGEMENT_APP_TOKEN }} | |
| - name: Select repositories to update | |
| id: repositories | |
| run: | | |
| if [ "${{ github.event.inputs.repository }}" != "" ]; then | |
| echo "repositories=[\"alejandrohdezma/${{ github.event.inputs.repository }}\"]" >> $GITHUB_OUTPUT | |
| else | |
| echo "repositories=$(gh api installation/repositories -q '.repositories | map(.full_name)')" >> $GITHUB_OUTPUT | |
| fi | |
| env: | |
| GITHUB_TOKEN: ${{ steps.github_app.outputs.token }} | |
| sync: | |
| name: ${{ matrix.repo }} - Sync labels, settings and secrets | |
| runs-on: ubuntu-latest | |
| needs: get-repositories | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| repo: ${{ fromJson(needs.get-repositories.outputs.repositories) }} | |
| steps: | |
| - name: Get the GitHub App installation token | |
| uses: alejandrohdezma/actions/github-app-token@v1 | |
| id: github_app | |
| with: | |
| token: ${{ secrets.MANAGEMENT_APP_TOKEN }} | |
| - name: Sync settings to ${{ matrix.repo }} | |
| if: github.event.inputs.type == 'settings' || github.event.inputs.type == 'all' | |
| run: | | |
| gh api --silent -X PATCH /repos/${{ matrix.repo }} --input - <<< '{ | |
| "web_commit_signoff_required": true, | |
| "has_wiki": false, | |
| "has_projects": false, | |
| "delete_branch_on_merge": true, | |
| "allow_update_branch": true, | |
| "allow_auto_merge": true, | |
| "allow_merge_commit": true, | |
| "allow_squash_merge": false, | |
| "allow_rebase_merge": false | |
| }' | |
| env: | |
| GITHUB_TOKEN: ${{ steps.github_app.outputs.token }} | |
| - name: Sync branch protection to ${{ matrix.repo }} | |
| if: github.event.inputs.type == 'settings' || github.event.inputs.type == 'all' | |
| run: | | |
| default_branch=$(gh api /repos/${{ matrix.repo }} --jq '.default_branch') | |
| gh api --silent -X PUT "/repos/${{ matrix.repo }}/branches/$default_branch/protection" --input - <<< '{ | |
| "required_status_checks": { | |
| "strict": true, | |
| "contexts": [ | |
| "Run \"sbt ci-test\" on JDK 11", | |
| "Run \"sbt ci-test\" on JDK 17" | |
| ] | |
| }, | |
| "enforce_admins": false, | |
| "required_pull_request_reviews": null, | |
| "required_conversation_resolution": true, | |
| "restrictions": null | |
| }' | |
| env: | |
| GITHUB_TOKEN: ${{ steps.github_app.outputs.token }} | |
| - name: Sync default workflow permissions | |
| if: github.event.inputs.type == 'settings' || github.event.inputs.type == 'all' | |
| run: | | |
| gh api -X PUT /repos/${{ matrix.repo }}/actions/permissions/workflow \ | |
| -f "default_workflow_permissions=write" -F "can_approve_pull_request_reviews=true" | |
| env: | |
| GITHUB_TOKEN: ${{ steps.github_app.outputs.token }} | |
| - name: Sync tag protection to ${{ matrix.repo }} | |
| if: github.event.inputs.type == 'settings' || github.event.inputs.type == 'all' | |
| run: | | |
| has_protection=$(gh api /repos/${{ matrix.repo }}/tags/protection -q 'map(.pattern) | . as $f | "v*" | IN($f[])') | |
| if [ "$has_protection" != "true" ]; then | |
| gh api -X POST /repos/${{ matrix.repo }}/tags/protection -f pattern='v*' | |
| fi | |
| env: | |
| GITHUB_TOKEN: ${{ steps.github_app.outputs.token }} | |
| - name: Sync secrets to ${{ matrix.repo }} | |
| if: github.event.inputs.type == 'secrets' || github.event.inputs.type == 'all' | |
| run: | | |
| gh secret set PGP_PASSPHRASE -b"${PGP_PASSPHRASE}" --repo ${{ matrix.repo }} | |
| gh secret set PGP_SECRET -b"${PGP_SECRET}" --repo ${{ matrix.repo }} | |
| gh secret set SONATYPE_PASSWORD -b"${SONATYPE_PASSWORD}" --repo ${{ matrix.repo }} | |
| gh secret set SONATYPE_USERNAME -b"${SONATYPE_USERNAME}" --repo ${{ matrix.repo }} | |
| gh secret set ADMIN_GITHUB_TOKEN -b"${ADMIN_GITHUB_TOKEN}" --repo ${{ matrix.repo }} | |
| env: | |
| PGP_PASSPHRASE: ${{ secrets.PGP_PASSPHRASE }} | |
| PGP_SECRET: ${{ secrets.PGP_SECRET }} | |
| SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }} | |
| SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }} | |
| ADMIN_GITHUB_TOKEN: ${{ secrets.ADMIN_GITHUB_TOKEN }} | |
| GITHUB_TOKEN: ${{ secrets.ADMIN_GITHUB_TOKEN }} | |
| - name: Sync variables to ${{ matrix.repo }} | |
| if: github.event.inputs.type == 'variables' || github.event.inputs.type == 'all' | |
| run: | | |
| gh variable set STEWARD_BOT -b"alejandrohdezma-steward[bot]" --repo ${{ matrix.repo }} | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.ADMIN_GITHUB_TOKEN }} |