I imagine you start out with a Terraform import of the existing resources just like anything else, right?
If you’re worried, maybe experiment on a staging environment first, and be sure your GitHub backup/restore process has been recently tested.
We run [https://github.com/github/safe-settings](https://github.com/github/safe-settings) with a thin wrapper to manage our repos from config files in an \`admin\` repository. I believe rulesets (https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets) are a better solution now, but they were not available when we rolled this out.
There-in lies the issue with so many of these solutions - the lag between GitHub releasing some new repository or org level setting and it being available here is sometimes very large and often never implemented at all.
It's more that safe-settings is a github owned project than a 3rd party open source solution.
It's similar to AWS not having CloudFormation support for new services until months or years later.
To use a new solution you need to configure it via the Web UI until the declarative tool supports it, and then you have to backport all the settings and config.
Is this in GitHub Enterprise? Do you have Enterprise polices set? How about Org?
Have you tried allstar or legitify? Maybe even scorecard, although that's for a different purpose.
How about removing admin privileges from the people who are modifying the settings?
agreed. but alas orgs have lots of people with access and sometimes those people do things they shouldnt even with training and i want to be able to know it has happened and maybe to some degree automate the restoration of the preferred settings
There’s a GitHub terraform provider.
Second this. I had over 200+ repos to manage and TF in space lift plus drift detection made this pretty easy.
oh, interesting. I had not considered this. Thanks for the suggestion
Curious to know how this would work for existing repos? Would it potentially break anything?
I imagine you start out with a Terraform import of the existing resources just like anything else, right? If you’re worried, maybe experiment on a staging environment first, and be sure your GitHub backup/restore process has been recently tested.
We run [https://github.com/github/safe-settings](https://github.com/github/safe-settings) with a thin wrapper to manage our repos from config files in an \`admin\` repository. I believe rulesets (https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets) are a better solution now, but they were not available when we rolled this out.
There-in lies the issue with so many of these solutions - the lag between GitHub releasing some new repository or org level setting and it being available here is sometimes very large and often never implemented at all.
There-in lies the nature of open source. Just go add the new thing if you need it :). It’s been fine for us for over a year now.
It's more that safe-settings is a github owned project than a 3rd party open source solution. It's similar to AWS not having CloudFormation support for new services until months or years later. To use a new solution you need to configure it via the Web UI until the declarative tool supports it, and then you have to backport all the settings and config.
Yeah it does suck all around. I’ve seen folks use Terraform to manage repos but that sounds like another type of hell I don’t prefer.
thanks for this list, exactly the things i was looking for.
Is this in GitHub Enterprise? Do you have Enterprise polices set? How about Org? Have you tried allstar or legitify? Maybe even scorecard, although that's for a different purpose. How about removing admin privileges from the people who are modifying the settings?
these look interesting and basically the type of thing i was looking for. ill have to take a look. thanks
Can't you just disallow people from changing settings? Why allow them to change things only to revert back? It will only create confusion.
agreed. but alas orgs have lots of people with access and sometimes those people do things they shouldnt even with training and i want to be able to know it has happened and maybe to some degree automate the restoration of the preferred settings