Skip to content

Add setting workflow #168

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
a5chin wants to merge 14 commits into
base: main
Choose a base branch
from
Open

Add setting workflow #168

a5chin wants to merge 14 commits into from

Conversation

@a5chin
Copy link
Owner

@a5chin a5chin commented Jan 30, 2026
edited by github-actions bot
Loading

User description

Type of Change

  • Hotfix
  • Bug Fix
  • Dependency Update
  • Feature
  • Refactor
  • CI/CD
  • Documentation

Related Issues

Breaking Changes

  • No breaking changes
  • API signature changed
  • Configuration changed
  • Behavior changed
  • Dependencies changed
  • Features removed

Checklist

  • Dependencies added/updated
  • New environment variables
  • Performance impact assessed
  • Security implications reviewed
  • Deployment notes

Additional Context

PR Type

Enhancement, Documentation

Description

  • Add workflow for repository settings.

  • Configure branch protection rules.

  • Enable auto-delete head branches.

  • Set GitHub Pages source.

Diagram Walkthrough

flowchart LR
  A[Trigger: PR, Schedule, Manual] --> B{Repository Settings Workflow}
  B --> C[Job: Delete Branch]
  B --> D[Job: Configure GitHub Pages]
  B --> E[Job: Apply Branch Protection]
  C -- "Enables auto-delete" --> F[Repository Settings]
  D -- "Sets gh-pages source" --> F
  E -- "Applies rules from protection.json" --> F
Loading

File Walkthrough
Relevant files
Configuration changes
protection.json
Define branch protection rules for the main branch             

.github/protection.json

  • Adds a new JSON file to define branch protection rules.
  • Specifies rules for the main branch, including requiring one approving
    review.
  • Enforces code owner reviews and disallows force pushes and deletions.
 +17/-0   
Ci/cd
setting.yml
Implement GitHub Actions workflow for repository settings

.github/workflows/setting.yml

  • Introduces a new GitHub Actions workflow for managing repository
    settings.
  • Configures triggers for pull requests, scheduled runs, and manual
    dispatch.
  • Adds a delete-branch job to enable auto-deletion of head branches on
    merge.
  • Includes a pages job to set GitHub Pages source to gh-pages branch and
    root path.
  • Implements a protection job to apply branch protection rules from
    .github/protection.json.
  • Utilizes actions/create-github-app-token@v2 for secure token
    generation.
 +88/-0   

@a5chin a5chin self-assigned this Jan 30, 2026
@a5chin
Copy link
Owner Author

a5chin commented Jan 30, 2026

/review

@github-actions
Copy link
Contributor

github-actions bot commented Jan 30, 2026

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪
🧪 No relevant tests
🔒 Security concerns

Sensitive information exposure:
The actions/create-github-app-token@v2 action, as used in this PR, does not specify explicit permissions. By default, it will request all permissions available to the GitHub App. This creates a security risk as the generated token will have overly broad privileges. If this token were to be compromised, it could allow an attacker to perform actions beyond what is necessary for the workflow, potentially leading to unauthorized repository modifications or data exposure. It is recommended to explicitly define the minimum required permissions for each job's token.

⚡ Recommended focus areas for review

Token Permissions

The GitHub App token generated by actions/create-github-app-token@v2 should specify the minimum required permissions for each job. Currently, it appears to request all available permissions for the app, which violates the principle of least privilege and could pose a security risk if the token is compromised.

 
uses: actions/create-github-app-token@v2
with:
  app-id: ${{ vars.APP_ID }}
  private-key: ${{ secrets.APP_KEY }}
Error Handling

In the pages job, the gh api -X POST command uses --silent. If this command fails for reasons other than the page already existing (e.g., a permission error or malformed request), the error message will be suppressed, potentially masking underlying issues before the PUT attempt.

 
gh api -X POST "repos/${{ github.repository }}/pages" \
  -f "source[branch]=${{ env.BRANCH }}" \
  -f "source[path]=${{ env.TARGET_PATH }}" --silent \
|| \
gh api -X PUT "repos/${{ github.repository }}/pages" \
  -f "source[branch]=${{ env.BRANCH }}" \
  -f "source[path]=${{ env.TARGET_PATH }}"
Temporary File Naming

In the protection job, the temporary file for branch protection rules is named $BRANCH_protection.json. If a branch name contains characters invalid for a filename (e.g., /), this could lead to unexpected behavior or errors. Consider using a more robust method for temporary file creation or a fixed, unique temporary filename.

 
jq -c ".\"$BRANCH\"" "$CONFIG_FILE" > "$BRANCH_protection.json"

@a5chin
Copy link
Owner Author

a5chin commented Jan 30, 2026

/improve

github-actions[bot]
github-actions bot reviewed Jan 30, 2026
View reviewed changes
a5chin and others added 2 commits January 30, 2026 18:31
@a5chin
fix: required_status_checks
85f7e0b
@a5chin @github-actions
Update .github/workflows/setting.yml
dd0a718 
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@a5chin a5chin

Labels

feature Review effort 3/5

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@a5chin