feat: admin update repo settings scripts

Author: andhreljaKern

.github/workflows/admin_update_repo_settings.yml

@@ -0,0 +1,25 @@
+name: 'Admin: Update GitHub Repositories Settings'
+
+on:
+  workflow_dispatch:
+
+# Special permissions required for OIDC authentication
+permissions:
+  id-token: write
+  contents: read
+  actions: read
+
+env:
+  GH_TOKEN: ${{ secrets.GH_TOKEN }}
+
+jobs:
+  admin-update-repo-settings:
+    name: 'GitHub: Update Repo Settings'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Update Repository Settings
+        run: |
+          bash admin/update_repo_settings.sh \
+            -e ${{ github.ref_name }}
+          
+          echo "::notice::Release Published"

mgmt/azrm.sh renamed to admin/azrm.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+
+# template-tf-azure-application-iac - manual maintanence
+
+export REPO_LIST_APP_IAC=(
+    tf-azure-admin-dashboard
+    tf-azure-cognition-exec-env
+    tf-azure-cognition-gateway
+    tf-azure-cognition-pdf2md
+    tf-azure-cognition-task-master
+    tf-azure-cognition-ui
+    tf-azure-ecosystem-welcome-screen
+    tf-azure-external-data-mapper
+    tf-azure-gates-gateway
+    tf-azure-gates-runtime
+    tf-azure-gates-ui
+    tf-azure-hosted-inference-api
+    tf-azure-platform-monitoring
+    tf-azure-refinery-ac-exec-env
+    tf-azure-refinery-authorizer
+    tf-azure-refinery-commercial-proxy
+    tf-azure-refinery-config
+    tf-azure-refinery-doc-ock
+    tf-azure-refinery-embedder
+    tf-azure-refinery-entry
+    tf-azure-refinery-gateway
+    tf-azure-refinery-gateway-proxy
+    tf-azure-refinery-lf-exec-env
+    tf-azure-refinery-ml-exec-env
+    tf-azure-refinery-model-provider
+    tf-azure-refinery-neural-search
+    tf-azure-refinery-record-ide-env
+    tf-azure-refinery-tokenizer
+    tf-azure-refinery-ui
+    tf-azure-refinery-updater
+    tf-azure-refinery-weak-supervisor
+    tf-azure-refinery-websocket
+    tf-azure-refinery-zero-shot
+)

mgmt/misc.sh renamed to admin/misc.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# template-tf-azure - manual maintanence
+
+export REPO_LIST_TF_IAC=(
+    tf-azure-sso
+    tf-azure-admin
+    tf-azure-container-registry
+    tf-azure-core
+    tf-azure-do2az-migration
+    tf-azure-fnapp-github-runner-monitor
+    tf-azure-github-runner
+    tf-azure-k8-cluster
+    tf-azure-k8-cluster-cognition
+    tf-azure-k8-cluster-freeapi
+)

admin/repo_list/app_iac.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+# template-tf-azure-module - manual maintanence
+
+export REPO_LIST_TF_MODULE=(
+    tf-azure-module-github-oidc
+    tf-azure-module-k8
+    tf-azure-module-k8-key-vault
+    tf-azure-module-k8-secret-provider
+    tf-azure-module-vm
+    tf-azure-module-vnet
+)

admin/repo_list/tf_iac.sh

@@ -0,0 +1,58 @@
+{
+    "name": "${ENVIRONMENT_NAME}",
+    "target": "branch",
+    "enforcement": "active",
+    "bypass_actors": [
+        {
+          "actor_id": ${DEV_ADMIN_GITHUB_TEAM_ID},
+          "actor_type": "Team",
+          "bypass_mode": "always"
+        },
+        {
+          "actor_id": ${DEVOPS_ADMIN_GITHUB_TEAM_ID},
+          "actor_type": "Team",
+          "bypass_mode": "always"
+        }
+    ],
+    "conditions": {
+        "ref_name": {
+            "include": [
+                "refs/heads/${ENVIRONMENT_NAME}"
+            ],
+            "exclude": []
+        }
+    },
+    "rules": [
+        {
+          "type": "deletion"
+        },
+        {
+          "type": "non_fast_forward"
+        },
+        {
+          "type": "creation"
+        },
+        {
+          "type": "pull_request",
+          "parameters": {
+            "required_approving_review_count": 1,
+            "dismiss_stale_reviews_on_push": true,
+            "require_code_owner_review": false,
+            "require_last_push_approval": false,
+            "required_review_thread_resolution": true
+          }
+        },
+        {
+          "type": "required_status_checks",
+          "parameters": {
+            "strict_required_status_checks_policy": true,
+            "do_not_enforce_on_create": true,
+            "required_status_checks": [
+              {
+                "context": "call-tofu-plan-apply / OpenTofu Plan"
+              }
+            ]
+          }
+        }
+    ]
+}

admin/repo_list/tf_module.sh

@@ -0,0 +1,66 @@
+{
+    "name": "${ENVIRONMENT_NAME}",
+    "target": "branch",
+    "enforcement": "active",
+    "bypass_actors": [
+        {
+          "actor_id": ${DEV_ADMIN_GITHUB_TEAM_ID},
+          "actor_type": "Team",
+          "bypass_mode": "always"
+        },
+        {
+          "actor_id": ${DEVOPS_ADMIN_GITHUB_TEAM_ID},
+          "actor_type": "Team",
+          "bypass_mode": "always"
+        }
+    ],
+    "conditions": {
+        "ref_name": {
+            "include": [
+                "refs/heads/${ENVIRONMENT_NAME}"
+            ],
+            "exclude": []
+        }
+    },
+    "rules": [
+        {
+          "type": "deletion"
+        },
+        {
+          "type": "non_fast_forward"
+        },
+        {
+          "type": "creation"
+        },
+        {
+          "type": "pull_request",
+          "parameters": {
+            "required_approving_review_count": 1,
+            "dismiss_stale_reviews_on_push": true,
+            "require_code_owner_review": true,
+            "require_last_push_approval": false,
+            "required_review_thread_resolution": true
+          }
+        },
+        {
+          "type": "required_deployments",
+          "parameters": {
+              "required_deployment_environments": [
+                  "dev"
+              ]
+          }
+        },
+        {
+          "type": "required_status_checks",
+          "parameters": {
+            "strict_required_status_checks_policy": true,
+            "do_not_enforce_on_create": true,
+            "required_status_checks": [
+              {
+                "context": "call-tofu-plan-apply / OpenTofu Plan"
+              }
+            ]
+          }
+        }
+    ]
+}

admin/repo_static/dev/ruleset.json.tmpl

@@ -0,0 +1,117 @@
+#!/bin/bash
+
+set -e
+
+REPOSITORY_OWNER="code-kern-ai"
+REPOSITORY_NAME=""
+DEV_ADMIN_GITHUB_TEAM_ID=10188509
+DEVOPS_ADMIN_GITHUB_TEAM_ID=10188507
+
+ENVIRONMENT_NAME="dev"
+
+while getopts o: flag
+do
+    case "${flag}" in
+        o) REPOSITORY_OWNER=${OPTARG};;
+    esac
+done
+
+source admin/repo_list/app_iac.sh
+source admin/repo_list/tf_iac.sh
+source admin/repo_list/tf_module.sh
+
+RULESET_CONTENT=$(echo $(sed \
+    -e "s|\${ENVIRONMENT_NAME}|${ENVIRONMENT_NAME}|g" \
+    -e "s|\${DEV_ADMIN_GITHUB_TEAM_ID}|${DEV_ADMIN_GITHUB_TEAM_ID}|g" \
+    -e "s|\${DEVOPS_ADMIN_GITHUB_TEAM_ID}|${DEVOPS_ADMIN_GITHUB_TEAM_ID}|g" \
+    admin/repo_static/${ENVIRONMENT_NAME}/ruleset.json.tmpl))
+
+
+function get_ruleset_by_name() {
+    RULESET_NAME=${1}
+    
+    echo $(gh api \
+        -H "Accept: application/vnd.github+json" \
+        -H "X-GitHub-Api-Version: 2022-11-28" \
+        /repos/${REPOSITORY_OWNER}/${REPOSITORY_NAME}/rulesets \
+        --jq '.[] | select(.name == "'${RULESET_NAME}'") | .id')
+}
+
+function create_ruleset() {
+    REPOSITORY_NAME=${1}
+
+    echo "${RULESET_CONTENT}" | gh api \
+        --method POST \
+        -H "Accept: application/vnd.github+json" \
+        -H "X-GitHub-Api-Version: 2022-11-28" \
+        /repos/${REPOSITORY_OWNER}/${REPOSITORY_NAME}/rulesets \
+        --input - 1>/dev/null
+}
+
+function update_ruleset() {
+    REPOSITORY_NAME=${1}
+    RULESET_ID=${2}
+
+    echo "${RULESET_CONTENT}" | gh api \
+        --method PUT \
+        -H "Accept: application/vnd.github+json" \
+        -H "X-GitHub-Api-Version: 2022-11-28" \
+        /repos/${REPOSITORY_OWNER}/${REPOSITORY_NAME}/rulesets/${RULESET_ID} \
+        --input - 1>/dev/null
+}
+
+echo "::group::Updating repository settings"
+COMBINED_ARRAY=(${REPO_LIST_APP_IAC[@]} ${REPO_LIST_TF_IAC[@]} ${REPO_LIST_TF_MODULE[@]})
+for REPOSITORY_NAME in ${COMBINED_ARRAY[@]}; do
+    echo "Updating ${REPOSITORY_OWNER}/${REPOSITORY_NAME}"
+    gh api \
+        --method PATCH \
+        -H "Accept: application/vnd.github+json" \
+        -H "X-GitHub-Api-Version: 2022-11-28" \
+        /repos/${REPOSITORY_OWNER}/${REPOSITORY_NAME} \
+        -F "has_issues=true" \
+        -F "has_projects=false" \
+        -F "has_wiki=false" \
+        -F "allow_squash_merge=true" \
+        -F "allow_merge_commit=true" \
+        -F "allow_rebase_merge=false" \
+        -F "allow_auto_merge=false" \
+        -F "delete_branch_on_merge=true" \
+        -F "allow_update_branch=true" 1>/dev/null
+done
+echo "::endgroup::"
+
+echo "::group::tf-module repository rulesets"
+
+for REPOSITORY_NAME in ${REPO_LIST_TF_MODULE[@]}; do
+    if [ "${ENVIRONMENT_NAME}" = "prod" ]; then
+        # Module repositories do not need a prod ruleset
+        continue
+    fi
+
+    ruleset_id=$(get_ruleset_by_name ${ENVIRONMENT_NAME})
+    if [ -z "${ruleset_id}" ]; then
+        echo "Creating ruleset for ${REPOSITORY_NAME}/${ENVIRONMENT_NAME}"
+        create_ruleset ${REPOSITORY_NAME}
+    else
+        echo "Updating ruleset for ${REPOSITORY_NAME}/${ENVIRONMENT_NAME}"
+        update_ruleset ${REPOSITORY_NAME} ${ruleset_id}
+    fi
+done
+
+echo "::endgroup::"
+
+
+echo "::group::app-tf-iac repository rulesets"
+COMBINED_ARRAY=(${REPO_LIST_APP_IAC[@]} ${REPO_LIST_TF_IAC[@]}})
+for REPOSITORY_NAME in ${COMBINED_ARRAY[@]}; do
+    ruleset_id=$(get_ruleset_by_name ${ENVIRONMENT_NAME})
+    if [ -z "${ruleset_id}" ]; then
+        echo "Creating ruleset for ${REPOSITORY_NAME}/${ENVIRONMENT_NAME}"
+        create_ruleset ${REPOSITORY_NAME}
+    else
+        echo "Updating ruleset for ${REPOSITORY_NAME}/${ENVIRONMENT_NAME}"
+        update_ruleset ${REPOSITORY_NAME} ${ruleset_id}
+    fi
+done
+echo "::endgroup::"