Skip to content

Update README #868

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
decyjphr merged 1 commit into from
Aug 7, 2025
Merged

Update README #868

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
122 changes: 120 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,11 @@
# GitHub Safe-Settings
# πŸ›‘οΈ GitHub Safe-Settings

[![Create a release](https://github.com/github/safe-settings/actions/workflows/create-release.yml/badge.svg)](https://github.com/github/safe-settings/actions/workflows/create-release.yml)
[![License: ISC](https://img.shields.io/badge/License-ISC-blue.svg)](https://opensource.org/licenses/ISC)
[![Node.js Version](https://img.shields.io/badge/node-%3E%3D18.0.0-brightgreen.svg)](https://nodejs.org/)

> **Policy-as-Code for GitHub Organizations**
> Centrally manage and enforce repository settings, branch protections, teams, and more across your entire GitHub organization.

`Safe-settings` – an app to manage policy-as-code and apply repository settings across an organization.

Expand Down Expand Up @@ -29,8 +34,121 @@

> [!NOTE]
> The `suborg` and `repo` level settings directory structure cannot be customized.
>

## πŸš€ Quick Start

### 1. **Deploy Safe-Settings**

Choose your preferred deployment method:

- **🌟 AWS Lambda (**: Use the [SafeSettings-Template](https://github.com/bheemreddy181/SafeSettings-Template) for production-ready deployment with Docker containers, GitHub Actions CI/CD, and comprehensive testing
Comment thread
bheemreddy181 marked this conversation as resolved.
- **🐳 Docker**: Deploy using Docker containers locally or in your infrastructure
- **☁️ Cloud Platforms**: Deploy to Heroku, Glitch, or Kubernetes

πŸ‘‰ **[View all deployment options β†’](docs/deploy.md)**

### 2. **Create Admin Repository**

Create an `admin` repository in your organization to store all configuration files:

```bash
# Create admin repo in your organization
gh repo create your-org/admin --private
```

### 3. **Configure Settings Structure**

Set up your configuration files in the admin repository:

```
admin/
β”œβ”€β”€ .github/
β”‚ β”œβ”€β”€ settings.yml # Organization-wide settings
β”‚ β”œβ”€β”€ suborgs/ # Sub-organization settings
β”‚ β”‚ β”œβ”€β”€ frontend-team.yml
β”‚ β”‚ └── backend-team.yml
β”‚ └── repos/ # Repository-specific settings
β”‚ β”œβ”€β”€ api-service.yml
β”‚ └── web-app.yml
```

### 4. **Install GitHub App**

Install the Safe-Settings GitHub App in your organization with the required permissions.

πŸ‘‰ **[Complete setup guide β†’](#how-to-use)**

## πŸ“Š Visual Architecture

### Configuration Hierarchy

```mermaid
graph TD
A[Organization Settings<br/>.github/settings.yml] --> B[Sub-Organization Settings<br/>.github/suborgs/*.yml]
B --> C[Repository Settings<br/>.github/repos/*.yml]

style A fill:#e1f5fe,stroke:#01579b,stroke-width:2px,color:#000
style B fill:#f3e5f5,stroke:#4a148c,stroke-width:2px,color:#000
style C fill:#e8f5e8,stroke:#1b5e20,stroke-width:2px,color:#000
```

**Precedence Order**: Repository > Sub-Organization > Organization

### Request Flow

```mermaid
sequenceDiagram
participant GH as GitHub
participant SS as Safe-Settings
participant AR as Admin Repo
participant TR as Target Repos

Note over GH,TR: Webhook Event Processing

GH->>+SS: Webhook Event<br/>(push, repo created, etc.)
SS->>SS: Validate Event Source
SS->>+AR: Fetch Configuration Files<br/>(.github/settings.yml, suborgs/, repos/)
AR-->>-SS: Return Config Files

SS->>SS: Merge Configurations<br/>(Org β†’ Suborg β†’ Repo)
SS->>SS: Compare with Current<br/>GitHub Settings

alt Configuration Changes Detected
SS->>+TR: Apply Settings<br/>(Branch Protection, Teams, etc.)
TR-->>-SS: Confirm Changes
SS->>GH: Create Check Run<br/>(Success/Failure)
else No Changes Needed
SS->>GH: Create Check Run<br/>(No Changes)
end

SS-->>-GH: HTTP 200 Response

Note over GH,TR: Pull Request Validation (Dry-Run Mode)

GH->>+SS: PR Event<br/>(opened, synchronize)
SS->>+AR: Fetch PR Changes<br/>(Modified Config Files)
AR-->>-SS: Return Changed Configs

SS->>SS: Validate Changes<br/>(Dry-Run Mode)
SS->>SS: Run Custom Validators<br/>(if configured)

alt Validation Passes
SS->>GH: βœ… Check Success<br/>+ PR Comment (optional)
else Validation Fails
SS->>GH: ❌ Check Failure<br/>+ Error Details
end

SS-->>-GH: HTTP 200 Response

Note over GH,TR: Scheduled Sync (Drift Prevention)

SS->>SS: Cron Trigger<br/>(if configured)
SS->>+AR: Fetch All Configurations
AR-->>-SS: Return All Configs
SS->>+TR: Sync All Repositories<br/>(Prevent Drift)
TR-->>-SS: Confirm Sync
SS->>GH: Create Check Run<br/>(Sync Results)
```

## How it works

Expand Down