From 08aa790f9c411a5405163882f3a1758bcb4bae48 Mon Sep 17 00:00:00 2001
From: Nicolas Brieussel <nicolasbrieussel@MBP-de-Nicolas.lan>
Date: Tue, 14 Apr 2026 13:55:16 +0200
Subject: [PATCH 1/2] =?UTF-8?q?chore:=20harden=20sync=20workflow=20?=
 =?UTF-8?q?=E2=80=94=20pin=20OS,=20add=20timeout,=20npm=20ci?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- ubuntu-latest → ubuntu-24.04 (reproducible runner image)
- timeout-minutes: 30 (prevent runaway jobs)
- npm install → npm ci (locked deps, faster, deterministic)

Closes #4.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/safe-settings-sync.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/safe-settings-sync.yml b/.github/workflows/safe-settings-sync.yml
index b14bcbd..bf66a3a 100644
--- a/.github/workflows/safe-settings-sync.yml
+++ b/.github/workflows/safe-settings-sync.yml
@@ -20,7 +20,8 @@ on:
 jobs:
   sync:
     name: Sync org settings${{ github.event.inputs.nop == 'true' && ' (dry-run)' || '' }}
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    timeout-minutes: 30
     permissions:
       contents: read
     env:
@@ -45,7 +46,7 @@ jobs:
           cache-dependency-path: ${{ env.SAFE_SETTINGS_CODE_DIR }}/package-lock.json
 
       - name: Install dependencies
-        run: npm install
+        run: npm ci
         working-directory: ${{ env.SAFE_SETTINGS_CODE_DIR }}
 
       - name: Run full sync

From 8820c311850cf6a1c01652db21c1288dc2f91dd6 Mon Sep 17 00:00:00 2001
From: Nicolas Brieussel <nicolasbrieussel@MBP-de-Nicolas.lan>
Date: Tue, 14 Apr 2026 13:55:20 +0200
Subject: [PATCH 2/2] =?UTF-8?q?docs:=202.1.19=20not=20safe=20=E2=80=94=20n?=
 =?UTF-8?q?ull.info=20crash=20persists?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Tested in PR #15 dry-run gate. createProbot() still initializes with a
null logger despite PR #949. Stay on 2.1.17 until a release boots cleanly.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 CLAUDE.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/CLAUDE.md b/CLAUDE.md
index a751cf4..4fec8be 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -90,10 +90,10 @@ These are **already worked around** in this repo — do not undo them:
    (concatenates, not replaces). If set in both `settings.yml` and a suborg file, `nbrieussel` ends
    up listed twice and the API rejects it. Set bypass **only** in `settings.yml`.
 
-4. **probot v14 full-sync break** — fixed in 2.1.19+ via
-   [PR #949](https://github.com/github/safe-settings/pull/949). The version is currently pinned to
-   `2.1.17` in `.github/workflows/safe-settings-sync.yml` (`SAFE_SETTINGS_VERSION`). Upgrading to
-   `2.1.19` is safe; always do a dry-run first.
+4. **probot v14 full-sync break** — PR #949 claimed to fix this but 2.1.19 still crashes with
+   `TypeError: Cannot read properties of null (reading 'info') at performFullSync`. The octokit
+   `.rest.*` calls were fixed but `createProbot()` still initializes with a null logger. **Stay on
+   `2.1.17`** until a release actually boots cleanly in NOP mode.
 
 ## Open hygiene issues (tracked in this repo's GitHub Issues)