Standardise GitHub repo settings

[mattwynne]

As we break apart the monorepo (#1724) and implement release automation (#1688), it becomes increasingly difficult to manage the various branch protection rule and environment settings in each repo.

@mpkorstanje has suggested using Terraform to manage this config. Here's a blog post with some examples: https://www.mineiros.io/blog/how-to-manage-your-github-organization-with-terraform

[mattwynne]

We could also use Pulumi, which has the advantage of using a regular programming language for the declarations instead of HCL. https://www.pulumi.com/registry/packages/github/

I'll have a tinker with both.

[mattwynne]

I've played with Pulumi today, and managed to get it to configure team access to a couple of repos. Proof of concept code is here: https://github.com/cucumber/github-settings

[mattwynne]

The first task I tried to take on with this was to give us declarative management of team-repo permissions. It seems that this just isn't possible at the moment.

However, it should still be possible to use either Pulumi or Terraform to set up and manage the branch protection rules we need established for repos where we have release automation. I'll try that next.

[mattwynne]

Perhaps this could be a better solution than Terraform:

https://github.com/probot/settings

[mattwynne]

Sigh. Doesn't seem to support branch protection rules properly: https://github.com/probot/settings/issues/227

[luke-hill]

@mattwynne any updates here?

[mattwynne]

I haven't found any technology that can do it. I found https://github.com/repository-settings/app but last time I looked it had a bunch of usability problems (e.g. https://github.com/repository-settings/app#security-implications) and wasn't under active development. It looks like things may have picked up again, so it could still be an option.