fix: address safe-settings runtime issues from initial testing#141
Open
marcusburghardt wants to merge 4 commits into
Open
fix: address safe-settings runtime issues from initial testing#141marcusburghardt wants to merge 4 commits into
marcusburghardt wants to merge 4 commits into
Conversation
safe-settings 2.1.19+ uses Probot v14 which has a breaking change: the logger is initialized asynchronously but full-sync.js accesses it synchronously, causing 'Cannot read properties of null'. This is tracked upstream as github/safe-settings#955 with a fix in PR #961 (not yet merged). Downgrade default to 2.1.18 (last Probot v13 version) and expose the version as a workflow_dispatch input so newer versions can be tested without code changes. SHA 594f3c706de6c4ddafb1a86dfa7468f19337e54f verified via: gh api repos/github/safe-settings/git/ref/tags/2.1.18 Signed-off-by: Marcus Burghardt <maburgha@redhat.com> Assisted-by: OpenCode (claude-opus-4-6)
The GitHub API rejects org-level rulesets with partial pull_request parameters (HTTP 422). Add the missing parameters with their intended values (dismiss_stale_reviews_on_push, require_code_owner_review, require_last_push_approval all set to false). Update EXTERNALLY_DEFINED comment to clarify its expected behavior: the rule is dropped on initial creation (by design, nothing to retain) and takes effect on subsequent updates when checks exist externally. Signed-off-by: Marcus Burghardt <maburgha@redhat.com> Assisted-by: OpenCode (claude-opus-4-6)
Use an allowlist approach instead of exclude list. This ensures only explicitly onboarded repos are managed by safe-settings, without needing to enumerate every unmanaged repo by name. Anchor all entries with ^ and $ for exact matching since safe-settings uses regex matching for restrictedRepos. Add complypack to the code repos suborg and ruleset conditions. Signed-off-by: Marcus Burghardt <maburgha@redhat.com> Assisted-by: OpenCode (claude-opus-4-6)
Add 'type: creation' rule to both code repos and non-code repos rulesets. This restricts creation of refs matching the default branch pattern, preventing recreation of the default branch if deleted. Matches the existing behavior on complyctl and org-infra repo-level rulesets. Signed-off-by: Marcus Burghardt <maburgha@redhat.com> Assisted-by: OpenCode (claude-opus-4-6)
Member
Author
|
@jpower432 thanks for reviewing #140. Unfortunately, after bumping I could successfully run it locally now and included some improvements from these tests in this PR. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fix three runtime issues discovered during initial safe-settings testing against
complytime-demos.Related Issues
Review Hints
Review commits individually, each addresses a separate issue:
fix(ci):Downgrade safe-settings to 2.1.18 (last Probot v13 version). Adds aversioninput toworkflow_dispatchso newer versions can be tested without code changes.fix:Add missingpull_requestparameters to the non-code repos ruleset. The GitHub API rejects partial parameter sets with HTTP 422.fix:SwitchrestrictedReposfrom exclude to include (allowlist). Anchor all entries with^...$since safe-settings uses regex matching. Addcomplypackto code repos suborg and ruleset.The
versioninput defaults to the 2.1.18 commit SHA (594f3c706de6c4ddafb1a86dfa7468f19337e54f). To test a newer safe-settings version, enter a different SHA or tag in the workflow dispatch UI.After merge, test with: Actions > "Safe Settings Sync" > Run workflow >
dry-run=true,repos=complytime-demosFull local validation:
make sanity