Merge branch 'main' into feat/renovate

Author: nbrieussel

.github/pull_request_template.md

@@ -0,0 +1,11 @@
+## What changed and why
+
+## Dry-run result
+
+- [ ] Triggered:
+      `gh workflow run safe-settings-sync.yml --repo IntegratedDynamic/admin --ref $BRANCH -f nop=true`
+- [ ] Output reviewed — no unexpected diffs
+- [ ] Known safe-settings bugs not triggered:
+  - `bypass_pull_request_allowances` not added to any suborg file
+  - `contexts:` uses `[]`, not a placeholder string
+  - No subdirectory added to `.github/suborgs/`

.github/workflows/pr-dry-run.yml

@@ -0,0 +1,71 @@
+name: Dry-run gate
+
+on:
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  dry-run:
+    name: Safe-settings dry-run
+    runs-on: ubuntu-24.04
+    timeout-minutes: 30
+    # Do not run on fork PRs — secrets are not available there
+    if: github.event.pull_request.head.repo.full_name == github.repository
+    env:
+      SAFE_SETTINGS_VERSION: 2.1.17
+      SAFE_SETTINGS_CODE_DIR: ${{ github.workspace }}/.safe-settings-code
+
+    steps:
+      - name: Checkout PR branch
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Checkout safe-settings app
+        uses: actions/checkout@v4
+        with:
+          repository: github/safe-settings
+          ref: ${{ env.SAFE_SETTINGS_VERSION }}
+          path: ${{ env.SAFE_SETTINGS_CODE_DIR }}
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          cache: npm
+          cache-dependency-path: ${{ env.SAFE_SETTINGS_CODE_DIR }}/package-lock.json
+
+      - name: Install dependencies
+        run: npm ci
+        working-directory: ${{ env.SAFE_SETTINGS_CODE_DIR }}
+
+      - name: Run dry-run (NOP)
+        run: npm run full-sync 2>&1 | tee /tmp/dry-run.log
+        working-directory: ${{ env.SAFE_SETTINGS_CODE_DIR }}
+        env:
+          GH_ORG: ${{ vars.SAFE_SETTINGS_GH_ORG }}
+          APP_ID: ${{ vars.SAFE_SETTINGS_APP_ID }}
+          PRIVATE_KEY: ${{ secrets.SAFE_SETTINGS_PRIVATE_KEY }}
+          GITHUB_CLIENT_ID: ${{ vars.SAFE_SETTINGS_GITHUB_CLIENT_ID }}
+          GITHUB_CLIENT_SECRET: ${{ secrets.SAFE_SETTINGS_GITHUB_CLIENT_SECRET }}
+          WEBHOOK_SECRET: ${{ secrets.WEBHOOK_SECRET }}
+          ADMIN_REPO: admin
+          DEPLOYMENT_CONFIG_FILE: ${{ github.workspace }}/deployment-settings.yml
+          FULL_SYNC_NOP: "true"
+          LOG_LEVEL: debug
+
+      # Runs even if the previous step crashed, so changes are always surfaced.
+      # continue-on-error: finding diffs is informational, not a merge blocker —
+      # a human must review but the PR is not blocked.
+      - name: Report config changes
+        if: always()
+        continue-on-error: true
+        run: |
+          if grep -q "There are changes for branch" /tmp/dry-run.log; then
+            echo "::warning::Config changes detected — human review required before merging"
+            grep -A 2 "There are changes for branch" /tmp/dry-run.log
+            exit 1
+          fi

.github/workflows/safe-settings-sync.yml

@@ -20,7 +20,10 @@ on:
 jobs:
   sync:
     name: Sync org settings${{ github.event.inputs.nop == 'true' && ' (dry-run)' || '' }}
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    timeout-minutes: 30
+    permissions:
+      contents: read
     env:
       SAFE_SETTINGS_VERSION: 2.1.17
       SAFE_SETTINGS_CODE_DIR: ${{ github.workspace }}/.safe-settings-code
@@ -43,7 +46,7 @@ jobs:
           cache-dependency-path: ${{ env.SAFE_SETTINGS_CODE_DIR }}/package-lock.json
 
       - name: Install dependencies
-        run: npm install
+        run: npm ci
         working-directory: ${{ env.SAFE_SETTINGS_CODE_DIR }}
 
       - name: Run full sync

CLAUDE.md

@@ -68,7 +68,8 @@ Only declare what **changes** at each level — everything else is inherited via
 
 Controls the safe-settings **process** (not individual repos):
 
-- `restrictedRepos.exclude` — repos safe-settings will never touch (currently: `admin`, `.github`)
+- `restrictedRepos.exclude` — repos safe-settings will never touch (currently: `.github` only —
+  `admin` is managed like any other repo)
 - `configvalidators` — validate a single setting value (e.g. block admin collaborator permission)
 - `overridevalidators` — validate when a suborg/repo overrides an org setting (e.g. block lowering
   `required_approving_review_count` below org baseline)
@@ -89,10 +90,10 @@ These are **already worked around** in this repo — do not undo them:
    (concatenates, not replaces). If set in both `settings.yml` and a suborg file, `nbrieussel` ends
    up listed twice and the API rejects it. Set bypass **only** in `settings.yml`.
 
-4. **probot v14 full-sync break** — fixed in 2.1.19+ via
-   [PR #949](https://github.com/github/safe-settings/pull/949). The version is currently pinned to
-   `2.1.17` in `.github/workflows/safe-settings-sync.yml` (`SAFE_SETTINGS_VERSION`). Upgrading to
-   `2.1.19` is safe; always do a dry-run first.
+4. **probot v14 full-sync break** — PR #949 claimed to fix this but 2.1.19 still crashes with
+   `TypeError: Cannot read properties of null (reading 'info') at performFullSync`. The octokit
+   `.rest.*` calls were fixed but `createProbot()` still initializes with a null logger. **Stay on
+   `2.1.17`** until a release actually boots cleanly in NOP mode.
 
 ## Open hygiene issues (tracked in this repo's GitHub Issues)
 

deployment-settings.yml

@@ -9,10 +9,7 @@
 # Add any repo that manages its own settings independently.
 restrictedRepos:
   exclude:
-    - admin # the settings repo itself
     - .github # org-level .github repo
-    # safe-settings repo deleted — app runs from github/safe-settings via GitHub Actions
-    # gitops and infrastructure are now managed — remove to re-exclude
 
 # configvalidators: validate a setting value in isolation.
 # The script receives `baseconfig` (the setting being applied) and must return true/false.