Deploy Safe Settings app for managing GitHub settings as IaC

[John15321]

Context

Safe Settings from GitHub (https://github.com/github/safe-settings) is an Infrastructure-as-Code solution for managing GitHub repository settings in a controlled, versioned, and auditable way. I have previously created a dedicated test organization (TestOrg11233465) and validated the functionalities of Safe Settings there, confirming it performs as required. The next step is to create a dedicated and production-ready Safe Settings deployment for the Flatcar GitHub organization.

This will help ensure Flatcar’s GitHub settings are managed consistently and transparently, supporting contributor onboarding, organizational governance, and CNCF graduation requirements.

Example configuration

Below are configuration snippets used in my test organization to give you the idea of how the configuration looks like:

Repository settings

repository:
  allow_merge_commit: true
  allow_squash_merge: false
  allow_rebase_merge: false
  allow_update_branch: true
  allow_auto_merge: false
  delete_branch_on_merge: true
  has_issues: false
  has_projects: false
  merge_commit_title: PR_TITLE
  merge_commit_message: PR_BODY

Main branch ruleset

rulesets:
  - name: main
    target: branch
    enforcement: active
    bypass_actors:
      - type: repository_role
        repository_role: admin
    conditions:
      ref_name:
        include:
          - 'main'
        default_branch_only: true
    rules:
      restrict_deletion:
        enabled: true
      require_pull_request:
        enabled: true
        required_approvals: 1
      require_code_owner_review:
        enabled: true
      require_last_push_approval:
        enabled: true
      require_conversation_resolution:
        enabled: true
      require_status_checks:
        enabled: true
        contexts: []
      block_force_pushes:
        enabled: true

These can be adapted for Flatcar to automate settings management and improve security and compliance. The thing to keep in mind is that this is directly connected to the GitHub API, thus if any changes are made there the configs need to reflect it.

References

• Parent issue: Clear and evolving contribution process & issue submission documentation
• Safe Settings app documentation
• Test Organization: TestOrg11233465/admin

[John15321]

The settings themselves will be taken from the discussion in this issue: https://github.com/flatcar/Flatcar/issues/1714

[John15321]

Commits and PRs related to the testing out of the configuration setup:

• Merge pull request https://github.com/TestOrg11233465/admin/pull/10 from TestOrg11233465/rulesss
• Add ruleset configuration to settings.yml for branch management and merge requirements
• Enable issue tracking for devops-tools repository in devops-tools.yml
• Disable issue tracking for devops-tools repository in devops-tools.yml
• Merge pull request https://github.com/TestOrg11233465/admin/pull/9 from TestOrg11233465/gggg
• Enable issue tracking for devops-tools repository in devops-tools.yml
• Fix repository key in settings.yml to ensure correct configuration
• Fix typo in settings.yml by changing 'repository' to 'repositories'
• Remove devops-tools repository configuration from settings.yml
• Add devops-tools repository configuration file
• Add devops-tools repository configuration file
• Enable rebase merge option for devops-tools repository in settings.yml
• Refactor settings.yml for clarity by removing unnecessary comments and ensuring consistent formatting
• Merge pull request https://github.com/TestOrg11233465/admin/pull/8 from TestOrg11233465/sfdghj
• Restore repositories section in settings.yml to enable issue tracking for devops-tools
• Comment out the repositories section in settings.yml for clarity
• Disable squash merge option and remove related commit message configurations in settings.yml
• Enable squash merge and add advanced merge commit controls in settings.yml
• Refactor settings.yml to clean up comments and remove squash merge message configurations
• Merge pull request https://github.com/TestOrg11233465/admin/pull/7 from TestOrg11233465/asddd
• Add commit message/title strategies for merge and squash merges in settings.yml
• Remove duplicate entry for delete_branch_on_merge in settings.yml
• Fix duplicate entry for delete_branch_on_merge in settings.yml
• Merge pull request https://github.com/TestOrg11233465/admin/pull/6 from TestOrg11233465/asd3
• Refactor repository settings in settings.yml to streamline merge options and improve clarity
• Refactor repository defaults in settings.yml to enhance merge options and clarify configurations
• Update repository settings to define merge options
• Merge pull request https://github.com/TestOrg11233465/admin/pull/5 from TestOrg11233465/asd2
• Remove repository defaults and branch protection settings from GitHub configuration
• Update repository defaults to require 2 approving reviews and delete unused team configuration files
• Merge pull request https://github.com/TestOrg11233465/admin/pull/3 from TestOrg11233465/John15321-patch-3
• delete
• Refactor GitHub settings for repository defaults
• Merge pull request https://github.com/TestOrg11233465/admin/pull/2 from TestOrg11233465/John15321-patch-2
• Update backend-api.yml