Skip to content
/ admin Public

Shared Renovate configuration preset for Spillgebees projects

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Spillgebees/admin

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
.github
.github
 
 
CODEOWNERS
CODEOWNERS
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
default.json
default.json
 
 
deployment-settings.yml
deployment-settings.yml
 
 

Repository files navigation

admin

Central configuration hub for the Spillgebees organization.

What's in here

  • Renovate shared preset (default.json) — extended by all repos via local>Spillgebees/admin
  • safe-settings (.github/settings.yml, .github/repos/*.yml) — enforces repository settings and branch protection across all org repos via github/safe-settings
  • GitHub Actions workflow (.github/workflows/safe-settings-sync.yml) — runs safe-settings on a schedule (every 6 hours), on config changes, and on manual trigger

safe-settings

Policy-as-code enforcement for all Spillgebees repositories. Runs via GitHub Actions — no self-hosted infrastructure.

Prerequisites

The workflow requires a GitHub App installed on the Spillgebees organization with the following permissions:

  • Repository: Administration (R&W), Checks (R&W), Commit statuses (R&W), Contents (R&W), Issues (R&W), Metadata (Read), Pull requests (R&W)
  • Organization: Administration (R&W), Members (R&W)

Configure these in the repo's Actions settings:

Type Name Value
Variable SAFE_SETTINGS_GH_ORG Spillgebees
Variable SAFE_SETTINGS_APP_ID GitHub App ID
Secret SAFE_SETTINGS_PRIVATE_KEY GitHub App private key (.pem contents)

What it enforces

Repository settings (org-wide defaults):

  • Squash merge only (merge commits and rebase disabled)
  • Auto-delete head branches after merge
  • Auto-merge enabled

Branch protection on main:

  • Require pull request with 1 approval
  • Dismiss stale reviews on new push
  • Require CODEOWNERS review
  • Require approval from someone other than the last pusher
  • Require conversation resolution
  • Require linear history
  • Block force pushes and branch deletion
  • Org admin can bypass PR requirements (enforce_admins: false)
  • Status checks are managed per-repo — existing checks are preserved, new repos start with none

Known limitations

  • Private repos on the Free plan cannot have branch protection. safe-settings will log errors for those repos, which is expected.
  • Org-level rulesets (including merge queue) require the GitHub Team plan. Branch protection rules are used instead.

Configuration hierarchy

Settings are merged with highest precedence first:

  1. Repo-level: .github/repos/<repo-name>.yml
  2. Org-level defaults: .github/settings.yml

No per-repo overrides are configured yet. To add repo-specific settings (e.g., required status checks), create .github/repos/<repo-name>.yml.

Sync schedule

Trigger When
Push to main When .github/settings.yml, .github/repos/**, or deployment-settings.yml changes
Cron Every 6 hours (drift prevention)
Manual workflow_dispatch — trigger from the Actions tab

Renovate

Shared preset for automated dependency updates. Each repo extends it:

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "local>Spillgebees/admin"
  ]
}

See default.json for the full preset configuration.

About

Shared Renovate configuration preset for Spillgebees projects

Topics

renovate-config

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published