Add GitHub's Safe-Settings app to manage policy as code

.github/workflows/safe-settings.yaml

@@ -0,0 +1,66 @@
+---
+name: Safe Settings Sync
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    paths:
+      - safe-settings/**
+      - .github/workflows/safe-settings.yaml
+  schedule:
+    - cron: 0 */4 * * *
+  workflow_dispatch: {}
+
+concurrency:
+  cancel-in-progress: true
+  group: >-
+    ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+
+jobs:
+  safe-settings-sync:
+    runs-on: ubuntu-latest
+    env:
+      SAFE_SETTINGS_VERSION: 2.1.14
+      SAFE_SETTINGS_CODE_DIR: .safe-settings-code
+    steps:
+      - name: Checkout source
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Checkout GitHub Safe-Settings repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          path: ${{ env.SAFE_SETTINGS_CODE_DIR }}
+          ref: ${{ env.SAFE_SETTINGS_VERSION }}
+          repository: github/safe-settings
+
+      - name: Setup Node.js
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4
+        with:
+          cache-dependency-path:
+            ${{ env.SAFE_SETTINGS_CODE_DIR }}/package-lock.json
+          cache: npm
+          node-version-file: ${{ env.SAFE_SETTINGS_CODE_DIR }}/.nvmrc
+
+      - name: Install dependencies
+        run: npm install
+        working-directory: ${{ env.SAFE_SETTINGS_CODE_DIR }}
+
+      - name: Run application
+        run: npm run full-sync
+        working-directory: ${{ env.SAFE_SETTINGS_CODE_DIR }}
+        env:
+          ADMIN_REPO: .github
+          APP_ID: ${{ vars.SAFE_SETTINGS_APP_ID }}
+          BLOCK_REPO_RENAME_BY_HUMAN: false
+          CONFIG_PATH: safe-settings
+          DEPLOYMENT_CONFIG_FILE:
+            ${{ github.workspace }}/safe-settings/deployment.yaml
+          ENABLE_PR_COMMENT: true
+          GH_ORG: ${{ vars.SAFE_SETTINGS_GH_ORG }}
+          GITHUB_CLIENT_ID: ${{ vars.SAFE_SETTINGS_GITHUB_CLIENT_ID }}
+          GITHUB_CLIENT_SECRET:
+            ${{ secrets.SAFE_SETTINGS_GITHUB_CLIENT_SECRET }}
+          LOG_LEVEL: trace
+          PRIVATE_KEY: ${{ secrets.SAFE_SETTINGS_PRIVATE_KEY }}
+          SETTINGS_FILE_PATH: organisation.yaml

.renovaterc.json5

@@ -0,0 +1,18 @@
+{
+  $schema: "https://docs.renovatebot.com/renovate-schema.json",
+  extends: [
+    "github>UCL-ARC/.github//renovate/default-config.json",
+    ":assignAndReview(paddyroddy)",
+    ":automergeAll",
+  ],
+    customManagers: [
+    {
+      customType: "regex",
+      description: "Update GitHub Safe-Settings version",
+      fileMatch: [".github/workflows/safe-settings.yaml$"],
+      matchStrings: ["SAFE_SETTINGS_VERSION:\\s(?<currentValue>.*)"],
+      depNameTemplate: "github/safe-settings",
+      datasourceTemplate: "github-releases",
+    },
+  ],
+}

safe-settings/README.md

@@ -0,0 +1,60 @@
+# Safe-Settings
+
+[Safe-Settings](https://github.com/github/safe-settings) is a way to manage
+policy-as-code and apply repository settings across the organisation. A
+[GitHub App](https://github.com/apps/rits-safe-settings) has been set up which
+the [GitHub Action](../.github/workflows/safe-settings.yaml) uses to apply the
+settings on a cron schedule. The settings here are a reduced set used in the
+[https://github.com/UCL-MIRSG/.github repository](https://github.com/UCL-MIRSG/.github/tree/main/safe-settings).
+
+## Configuration Files
+
+There are four types of settings that can be applied:
+
+- [Deployment](https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/sample-deployment-settings.yml)
+  which defines deployment and runtime settings.
+- [Organisation](https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/settings.yml)
+  which can be used to define org-level settings.
+- [Repository](https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/repo.yml)
+  which can be used to define repo-level settings.
+- [Suborganisation](https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/suborg.yml)
+  which can be used to define suborganisation-level settings.
+
+Beyond these example configurations one can read more about potential settings
+to apply in the
+[documentation](https://github.com/github/safe-settings/tree/main-enterprise/docs/github-settings).
+The precedence order for configuration is `repository` > `suborganisation` >
+`organisation`.
+
+## The Settings in This Repository
+
+### Deployment
+
+The [deployment settings](deployment.yaml) are used to exclude archived
+repositories from the Safe-Settings app. This is because these repositories are
+read-only and hence cannot be modified. Rather than having the GitHub Action
+fail on these repositories, they are excluded from the run.
+
+### Organisation
+
+The [organisation settings](organisation.yaml) are used to define general
+repository settings for all repositories across the organisation. These settings
+are applied to all repositories unless the precedence order is overridden by the
+suborganisation settings (or repository settings).
+
+### Suborganisation
+
+The [suborganisation settings](suborgs/rulesets.yaml) are being used to define
+[rulesets](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets)
+for all repositories across the organisation. The `rulesets` available in the
+organisation settings are defined for the organisation itself rather than
+individual repositories, so they cannot be set via organisation settings. This
+hack is done through
+
+```yaml
+suborgrepos:
+  - "*"
+```
+
+at the top of the file. Further explanation can be found in the
+[Safe-Settings issues](https://github.com/github/safe-settings/issues/553#issuecomment-2552578978).

safe-settings/deployment.yaml

@@ -0,0 +1,132 @@
+# https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/sample-deployment-settings.yml
+---
+restrictedRepos:
+  # these repos are all archived and will cause the GHA to fail
+  # https://github.com/github/safe-settings/issues/443
+  exclude:
+  - ^2014-11-06-ucl$
+  - ^2015-11-10-UCL_software_carpentry$
+  - ^2016-02-17-UCL_software_carpentry$
+  - ^2016-06-22-UCL_software_carpentry$
+  - ^2016-09-22-UCL_software_carpentry$
+  - ^2016-12-13-UCL_software_carpentry$
+  - ^2017-04-27-UCL_software_carpentry$
+  - ^2017-07-25-UCL_software_carpentry$
+  - ^2017-09-25-UCL_software_carpentry$
+  - ^2017-10-31-UCL_software_carpentry$
+  - ^2017-12-14-UCL_software_carpentry$
+  - ^2018-04-25-UCL_software_carpentry$
+  - ^2018-06-26-UCL_software_carpentry$
+  - ^2018-08-28-UCL_software_carpentry$
+  - ^2018-09-26-UCL_software_carpentry$
+  - ^2018-11-07-UCL_software_carpentry$
+  - ^2019-04-08-UCL_software_carpentry$
+  - ^2019-07-15-UCL_software_carpentry$
+  - ^2019-09-25-UCL_software_carpentry$
+  - ^2019-11-04-UCL_software_carpentry$
+  - ^2020-02-18_UCL_software_carpentry$
+  - ^2020-07-27-UCL_hpc_carpentry$
+  - ^2020-09-30_UCL_software_carpentry$
+  - ^2020-11-25-rslondon$
+  - ^2021-03-09_UCL_software_carpentry$
+  - ^2021-05-17-UCL_hpc_carpentry$
+  - ^2021-07-19-UCL-software-carpentry-online$
+  - ^2021-09-29-ucl-online$
+  - ^2021-11-22-UCL-HPCCarpentry-online$
+  - ^2023-02-13-swc-ucl$
+  - ^201711_ciHPC$
+  - ^A-Team-Roadmap-2017-notes$
+  - ^bash-give$
+  - ^bempp-clientapp$
+  - ^bempp-marketplace$
+  - ^BinaryBlobs-dependencies$
+  - ^black-garlic$
+  - ^CAF_play$
+  - ^ci-helpers$
+  - ^clinician-carpentry-python$
+  - ^CloudLabs$
+  - ^ClusterStats-Gold$
+  - ^CMakeCatchMPI$
+  - ^COVID-19-website$
+  - ^CSB-structural-bio-tools$
+  - ^DashPykpi$
+  - ^data-classification$
+  - ^DeCon-Export$
+  - ^DECOVID-projectmgmt$
+  - ^django-shibboleth-remoteuser$
+  - ^doctoral-programming-intro$
+  - ^emerald_play$
+  - ^exams$
+  - ^ExCALIBUR-HES$
+  - ^friend-group-2020$
+  - ^GeographyTraining$
+  - ^getcwd-autoretry-preload$
+  - ^GFR-calculator$
+  - ^gh-action-docker$
+  - ^gitter-test$
+  - ^gitworkshop$
+  - ^go-ldap$
+  - ^Gold$
+  - ^GridEngine-OpenSSH$
+  - ^hello_ci$
+  - ^hemelb$
+  - ^homebrew-rsdt$
+  - ^homebrew-science$
+  - ^HPC-Acceptance-Tests$
+  - ^icu-dashboard$
+  - ^indigo-dexy$
+  - ^indigo_django$
+  - ^intro-research-prog$
+  - ^intro-to-shell$
+  - ^ipls-workshop$
+  - ^iwos$
+  - ^jekyll-idio$
+  - ^jenkins-hpc-scheduler$
+  - ^jenkins-job-builder-files$
+  - ^keyscan$
+  - ^Legion-Fabric-Scaffold$
+  - ^licenselogparse$
+  - ^marking_tool$
+  - ^MMMHub-SAFE$
+  - ^MPHYG_Exams$
+  - ^OnlineCourses$
+  - ^oracc-corpus$
+  - ^Packaging$
+  - ^parkingSpace$
+  - ^PHAS0100_Caching$
+  - ^PHAS0100_Optimisation$
+  - ^PHAS0100_Profiling$
+  - ^PHAS0100_Sorting$
+  - ^puppeteer-rampart-screenshot$
+  - ^rc-docs$
+  - ^rc_puppet$
+  - ^rcps-intro-training-materials-beamer$
+  - ^rcps-singularity-recipes$
+  - ^research-computing-with-cpp-demo$
+  - ^research-se-python$
+  - ^research-software-teaching$
+  - ^rhel6-install$
+  - ^rhel7-ldap-nfs$
+  - ^rits-reporting$
+  - ^RSD-Dashboard-puppet-module$
+  - ^RSD-Infrastructure$
+  - ^rsd-rag$
+  - ^rsd-sagital_average$
+  - ^rsd-web-resources$
+  - ^rsd_puppet$
+  - ^rsdg-ci-reboot$
+  - ^RSDG_HPC$
+  - ^rse-classwork-2020$
+  - ^sge-to-icinga$
+  - ^sopt$
+  - ^spack4jenkins$
+  - ^spack_packages$
+  - ^SpringDatabaseMultiplexing$
+  - ^tailoredrcstats$
+  - ^test-pages-custom$
+  - ^travis_example$
+  - ^ucl-gtr$
+  - ^ucl-rits.github.io$
+  - ^ucl_reprohack_2020$
+  - ^UsefulModuleFunctions$
+  - ^vetii$

safe-settings/organisation.yaml

@@ -0,0 +1,6 @@
+# https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/settings.yml
+---
+repository:
+  allow_auto_merge: true
+  allow_update_branch: true
+  delete_branch_on_merge: true

safe-settings/suborgs/rulesets.yaml

@@ -0,0 +1,19 @@
+# https://github.com/github/safe-settings/blob/main-enterprise/docs/sample-settings/suborg.yml
+# ---
+# suborgrepos:
+#   - "*"
+
+# rulesets:
+#   - name: Default
+#     target: branch
+#     enforcement: active
+
+#     conditions:
+#       ref_name:
+#         include:
+#           - ~DEFAULT_BRANCH
+#         exclude: []
+
+#     rules:
+#       - type: deletion
+#       - type: non_fast_forward # prevents force pushes