diff --git a/.github/settings.yml b/.github/settings.yml deleted file mode 100644 index dab994336..000000000 --- a/.github/settings.yml +++ /dev/null @@ -1,156 +0,0 @@ -repository: - # See https://developer.github.com/v3/repos/#edit for all available settings. - - # The name of the repository. Changing this will rename the repository - name: infra - - # A short description of the repository that will show up on GitHub - description: nix-community infrastructure [maintainer=@zowoq] - - # A URL with more information about the repository - homepage: "https://nix-community.org" - - # A comma-separated list of topics to set on the repository - topics: "terraform, nixos, nix-darwin, nix-community-buildbot" - - # Either `true` to make the repository private, or `false` to make it public. - private: false - - # Either `true` to enable issues for this repository, `false` to disable them. - has_issues: true - - # Either `true` to enable projects for this repository, or `false` to disable them. - # If projects are disabled for the organization, passing `true` will cause an API error. - has_projects: false - - # Either `true` to enable the wiki for this repository, `false` to disable it. - has_wiki: false - - # Either `true` to enable downloads for this repository, `false` to disable them. - has_downloads: false - - # Updates the default branch for this repository. - default_branch: master - - # Either `true` to allow squash-merging pull requests, or `false` to prevent - # squash-merging. - allow_squash_merge: false - - # Either `true` to allow merging pull requests with a merge commit, or `false` - # to prevent merging pull requests with merge commits. - allow_merge_commit: false - - # Either `true` to allow rebase-merging pull requests, or `false` to prevent - # rebase-merging. - allow_rebase_merge: true - - # Either `true` to enable automatic deletion of branches on merge, or `false` to disable - delete_branch_on_merge: true - - # Either `true` to enable automated security fixes, or `false` to disable - # automated security fixes. - enable_automated_security_fixes: true - - # Either `true` to enable vulnerability alerts, or `false` to disable - # vulnerability alerts. - enable_vulnerability_alerts: true - - allow_auto_merge: true - -# Labels: define labels for Issues and Pull Requests -# -labels: -# - name: bug -# color: CC0000 -# description: An issue with the system 🐛. - -# - name: feature -# # If including a `#`, make sure to wrap it with quotes! -# color: '#336699' -# description: New functionality. - -# - name: Help Wanted -# # Provide a new name to rename an existing label -# new_name: first-timers-only - -# Milestones: define milestones for Issues and Pull Requests -milestones: -# - title: milestone-title -# description: milestone-description -# # The state of the milestone. Either `open` or `closed` -# state: open - -# Collaborators: give specific users access to this repository. -# See https://docs.github.com/en/rest/reference/repos#add-a-repository-collaborator for available options -collaborators: - # - username: numtide-bot - # Note: `permission` is only valid on organization-owned repositories. - # The permission to grant the collaborator. Can be one of: - # * `pull` - can pull, but not push to or administer this repository. - # * `push` - can pull and push, but not administer this repository. - # * `admin` - can pull, push and administer this repository. - # * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions. - # * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access. - # permission: push - -# See https://docs.github.com/en/rest/reference/teams#add-or-update-team-repository-permissions for available options -teams: - - name: admin - # The permission to grant the team. Can be one of: - # * `pull` - can pull, but not push to or administer this repository. - # * `push` - can pull and push, but not administer this repository. - # * `admin` - can pull, push and administer this repository. - # * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions. - # * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access. - permission: admin - -branches: - # gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/nix-community/infra/branches/master/protection - - # not available in the api yet - # `Require merge queue`: true - # `Merge method`: Rebase and merge - # `Maximum pull requests to build`: 1 - # `Maximum pull requests to merge`: 1 - # defaults: - # `Maximum pull requests to build`: 5 - # `Minimum pull requests to merge`: 1 or 5 minutes - # `Maximum pull requests to merge`: 5 - # `Only merge non-failing pull requests`: true - # `Consider check failed after`: 60 minutes - - - name: master - # https://docs.github.com/en/rest/reference/repos#update-branch-protection - # Branch Protection settings. Set to null to disable - protection: - # Required. Require at least one approving review on a pull request, before merging. Set to null to disable. - - # these settings are the same as manually enabling "Require a pull request before merging" but not setting any other restrictions - required_pull_request_reviews: - # # The number of approvals required. (1-6) - required_approving_review_count: 0 - # # Dismiss approved reviews automatically when a new commit is pushed. - dismiss_stale_reviews: false - # # Blocks merge until code owners have reviewed. - require_code_owner_reviews: false - # # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories. - # dismissal_restrictions: - # users: [] - # teams: [] - require_last_push_approval: false - # Required. Require status checks to pass before merging. Set to null to disable - required_status_checks: - # Required. Require branches to be up to date before merging. - strict: false - # Required. The list of status checks to require in order to merge into this branch - contexts: - - buildbot/nix-build - # Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable. - enforce_admins: true - # Disabled for bors to work - required_linear_history: false - # Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable. - restrictions: - apps: [] - users: ["nix-infra-bot"] - teams: [] diff --git a/terraform/github-repo-infra.tf b/terraform/github-repo-infra.tf new file mode 100644 index 000000000..53626bb62 --- /dev/null +++ b/terraform/github-repo-infra.tf @@ -0,0 +1,75 @@ +resource "github_repository" "infra" { + name = "infra" + description = "nix-community infrastructure [maintainer=@zowoq]" + homepage_url = "https://nix-community.org" + + topics = [ + "nix-community-buildbot", + "nix-darwin", + "nixos", + "terraform", + ] + + allow_auto_merge = true + allow_merge_commit = false + allow_rebase_merge = true + allow_squash_merge = false + delete_branch_on_merge = true + has_discussions = true + has_issues = true + vulnerability_alerts = true + + + pages { + build_type = "workflow" + cname = "nix-community.org" + + source { + branch = "master" + path = "/" + } + } +} + +resource "github_repository_ruleset" "infra" { + name = "default branch" + repository = github_repository.infra.name + target = "branch" + enforcement = "active" + + conditions { + ref_name { + include = ["~DEFAULT_BRANCH"] + exclude = [] + } + } + + rules { + deletion = true + non_fast_forward = true + + merge_queue { + check_response_timeout_minutes = 60 + grouping_strategy = "ALLGREEN" + max_entries_to_build = 1 + max_entries_to_merge = 1 + merge_method = "REBASE" + min_entries_to_merge = 1 + min_entries_to_merge_wait_minutes = 5 + } + + pull_request { + dismiss_stale_reviews_on_push = false + require_code_owner_review = false + require_last_push_approval = false + required_approving_review_count = 0 + required_review_thread_resolution = false + } + + required_status_checks { + required_check { + context = "buildbot/nix-build" + } + } + } +} diff --git a/terraform/shell.nix b/terraform/shell.nix index e3056891d..8c763930a 100644 --- a/terraform/shell.nix +++ b/terraform/shell.nix @@ -7,9 +7,8 @@ packages = [ (terraform.withPlugins (p: [ p.cloudflare - p.external + p.github p.hydra - p.null p.sops p.tfe ])) diff --git a/terraform/terraform_providers.tf b/terraform/terraform_providers.tf index 30cf557c9..9e32ff32a 100644 --- a/terraform/terraform_providers.tf +++ b/terraform/terraform_providers.tf @@ -3,6 +3,9 @@ terraform { cloudflare = { source = "cloudflare/cloudflare" } + github = { + source = "integrations/github" + } hydra = { source = "DeterminateSystems/hydra" } @@ -23,6 +26,11 @@ provider "cloudflare" { api_token = data.sops_file.nix-community.data["CLOUDFLARE_API_TOKEN"] } +provider "github" { + # admin provides their own token + owner = "nix-community" +} + provider "hydra" { host = "https://hydra.nix-community.org" password = data.sops_file.nix-community.data["HYDRA_PASSWORD"]