Adding external runner for doing a one-time full-sync

[dolan-a]

Summary:

This is a potential way of addressing #378 and #379.

As noted on #378, I'm using this along with the following for triggering safe-settings via GHA:

name: Safe Settings Sync
on:
  schedule:
    # daily run:
    - cron:  '0 0 * * *'
  workflow_dispatch: {}

jobs:
  safeSettingsSync:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          repository: pydolan/safe-settings
          ref: gha-runner
      - uses: actions/setup-node@v4
      - run: npm install
      - run: npm run full-sync
        env:
          GH_ORG: my-org
          APP_ID: my-app-id
          PRIVATE_KEY: ${{ secrets.SAFE_SETTINGS_PRIVATE_KEY }}
          GITHUB_CLIENT_ID: ${{ secrets.SAFE_SETTINGS_GITHUB_CLIENT_ID }}
          GITHUB_CLIENT_SECRET: ${{ secrets.SAFE_SETTINGS_GITHUB_CLIENT_SECRET }}

Additional comments:

• My Commit history is a mess, so if you weren't going to do a Squash Merge of this PR, I will clean this up.
• If there's a more javascript-y way of calling syncInstallation using index.js/package.json, I'm happy to change this.
• Regarding Probot's GHA Adapter -- I initially used this in my separate script (similar to what handler.js does with the Serverless adapter), but this adapter uses the Action's GITHUB_TOKEN, which is limited to the current repo, so it offers no benefit that I can see.
• Regarding my use of actions/checkout -- I would prefer to run safe-settings as an action using the Dockerfile, but GHA targets a different WORKDIR when doing so. There's an allow overriding workdir for container jobs actions/runner#878 about allowing workdir overrides with GHA.
• [As noted in comments] I realized that my initial version of full-sync did not return a non-zero exit code when errors occurred, so I updated it to check settings.errors. I didn't see a way to check the errors from my syncInstallation call, so I modified Settings.syncAll to return its settings object. If someone has a cleaner option for this error checking, please let me know.

[dolan-a]

I realized that my initial version of full-sync did not return a non-zero exit code when errors occurred, so I updated it to check settings.errors. I didn't see a way to check the errors from my syncInstallation call, so I modified Settings.syncAll to return its settings object.

If someone has a cleaner option for this error checking, please let me know

[decyjphr]

We could look into using checks to communicate errors back to the Actions workflow.

[dolan-a]

Yea, tying into Checks would make things cleaner. I'm not familiar with the feature or code in detail, so if anyone has tips/suggestions, let me know.

The other question I had was if the probot gha adapter would help with error collecting, but it doesn't look like the Settings class is sending probot error info, so maybe it wouldn't help

[decyjphr]

@pydolan I think this is a cool addition. Would you be able to add information about this in the README?

[dolan-a]

@decyjphr - this is still on my radar; will try to get to it soon!

[willejs]

@decyjphr @decyjphr it would be great to see this merged in! ❤️

[dolan-antenucci-imprivata]

@decyjphr and others – thanks for your patience on me getting back to this. I rebased my branch and updated the documentation with details on running safe-settings with GHA.

[paddyroddy]

@dolan-a thanks for sorting this! I'm deploying safe-settings via the GHA. I had a play with sample deployment settings and wasn't sure if the configvalidators/overridevalidators sections were actually working. I noticed this bit in the README.md. To enable the runtime settings, must one deploy, e.g. the helm chart?

Runtime Settings

3. Currently the only setting that is possible are restrictedRepos: [... ] which allows you to configure a list of repos within your org that are excluded from the settings. If the deployment-settings.yml is not present, the following repos are added by default to the restrictedrepos list: 'admin', '.github', 'safe-settings'

[dolan-a]

I'm using a custom runtime settings file in my GHA setup to exclude repos. I would guess that the validators are working from my file (I left the default ones in there from the example file), but I forget if I tested them.

To use this, as I show in [https://github.com/github/safe-settings/blob/main-enterprise/docs/github-action.md](this example GHA setup), I have a var for indicating where that setting file is:

DEPLOYMENT_CONFIG_FILE: ${{ github.workspace }}/safe-settings/deployment-settings.yml

This does not require the helm deployment since the entire safe-settings code is pulled down to the GHa runner, and they code is what uses the deployment settings env var. Hope that helps!

[paddyroddy]

Thanks @dolan-a! I also had the default ones, I tried changing a collaborator to admin and it didn't seem to do anything (including manually running the action), which is what made me wonder if it's working. I, too, am using the restrictedRepos which is working well.

[decyjphr]

@paddyroddy I created this issue to check if you use case still works.