From c0a0cef1f1725c4d1f1fe7adf29462dac0775453 Mon Sep 17 00:00:00 2001 From: Nicolas Brieussel Date: Tue, 14 Apr 2026 01:46:59 +0200 Subject: [PATCH 1/3] docs: add PR template with dry-run checklist Closes #9 Co-Authored-By: Claude Sonnet 4.6 --- .github/pull_request_template.md | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 .github/pull_request_template.md diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000..42734ef --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,11 @@ +## What changed and why + +## Dry-run result + +- [ ] Triggered: + `gh workflow run safe-settings-sync.yml --repo IntegratedDynamic/admin --ref $BRANCH -f nop=true` +- [ ] Output reviewed — no unexpected diffs +- [ ] Known safe-settings bugs not triggered: + - `bypass_pull_request_allowances` not added to any suborg file + - `contexts:` uses `[]`, not a placeholder string + - No subdirectory added to `.github/suborgs/` From eead4df642c08873d6be9da51ca548245a03697f Mon Sep 17 00:00:00 2001 From: Nicolas Brieussel Date: Tue, 14 Apr 2026 13:36:26 +0200 Subject: [PATCH 2/3] =?UTF-8?q?chore:=20remove=20admin=20from=20restricted?= =?UTF-8?q?Repos=20=E2=80=94=20manage=20it=20with=20safe-settings?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit No technical reason to exclude it in GitHub Actions mode. Safe-settings reads config from this repo and can apply settings to it at the same time. org-wide settings.yml will now govern the admin repo like any other repo. Co-Authored-By: Claude Sonnet 4.6 --- deployment-settings.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/deployment-settings.yml b/deployment-settings.yml index 151822d..0b6047d 100644 --- a/deployment-settings.yml +++ b/deployment-settings.yml @@ -9,10 +9,7 @@ # Add any repo that manages its own settings independently. restrictedRepos: exclude: - - admin # the settings repo itself - .github # org-level .github repo - # safe-settings repo deleted — app runs from github/safe-settings via GitHub Actions - # gitops and infrastructure are now managed — remove to re-exclude # configvalidators: validate a setting value in isolation. # The script receives `baseconfig` (the setting being applied) and must return true/false. From 1ab08ac2b0092a5215d22b70c994ac742a227795 Mon Sep 17 00:00:00 2001 From: Nicolas Brieussel Date: Tue, 14 Apr 2026 13:36:56 +0200 Subject: [PATCH 3/3] =?UTF-8?q?docs:=20update=20CLAUDE.md=20=E2=80=94=20ad?= =?UTF-8?q?min=20no=20longer=20excluded=20from=20safe-settings?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Claude Sonnet 4.6 --- CLAUDE.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CLAUDE.md b/CLAUDE.md index 95a888f..a751cf4 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -68,7 +68,8 @@ Only declare what **changes** at each level — everything else is inherited via Controls the safe-settings **process** (not individual repos): -- `restrictedRepos.exclude` — repos safe-settings will never touch (currently: `admin`, `.github`) +- `restrictedRepos.exclude` — repos safe-settings will never touch (currently: `.github` only — + `admin` is managed like any other repo) - `configvalidators` — validate a single setting value (e.g. block admin collaborator permission) - `overridevalidators` — validate when a suborg/repo overrides an org setting (e.g. block lowering `required_approving_review_count` below org baseline)