@aspruyt/xfg 3.4.0 → 3.5.1

package/README.md

@@ -65,6 +65,11 @@ files:
       tabWidth: 2
 
 settings:
+  repo:
+    allowSquashMerge: true
+    deleteBranchOnMerge: true
+    vulnerabilityAlerts: true
+
   rulesets:
     main-protection:
       target: branch
@@ -84,7 +89,7 @@ repos:
       - git@github.com:your-org/backend-api.git
 ```
 
-**Result:** PRs are created with `.prettierrc.json` files, and repos get branch protection rules.
+**Result:** PRs are created with `.prettierrc.json` files, and repos get standardized merge options, security settings, and branch protection rules.
 
 ## Documentation
 

package/dist/config-normalizer.js

@@ -91,6 +91,12 @@ export function mergeSettings(root, perRepo) {
     if (deleteOrphaned !== undefined) {
         result.deleteOrphaned = deleteOrphaned;
     }
+    // Merge repo settings: per-repo overrides root (shallow merge)
+    const rootRepo = root?.repo;
+    const perRepoRepo = perRepo?.repo;
+    if (rootRepo || perRepoRepo) {
+        result.repo = { ...rootRepo, ...perRepoRepo };
+    }
     return Object.keys(result).length > 0 ? result : undefined;
 }
 /**
@@ -231,6 +237,9 @@ export function normalizeConfig(raw) {
                 normalizedRootSettings.rulesets = filteredRulesets;
             }
         }
+        if (raw.settings.repo) {
+            normalizedRootSettings.repo = raw.settings.repo;
+        }
         if (raw.settings.deleteOrphaned !== undefined) {
             normalizedRootSettings.deleteOrphaned = raw.settings.deleteOrphaned;
         }

package/dist/config-validator.js

@@ -279,6 +279,74 @@ function getGitDisplayName(git) {
     return git;
 }
 // =============================================================================
+// Repo Settings Validation
+// =============================================================================
+const VALID_VISIBILITY = ["public", "private", "internal"];
+const VALID_SQUASH_MERGE_COMMIT_TITLE = ["PR_TITLE", "COMMIT_OR_PR_TITLE"];
+const VALID_SQUASH_MERGE_COMMIT_MESSAGE = [
+    "PR_BODY",
+    "COMMIT_MESSAGES",
+    "BLANK",
+];
+const VALID_MERGE_COMMIT_TITLE = ["PR_TITLE", "MERGE_MESSAGE"];
+const VALID_MERGE_COMMIT_MESSAGE = ["PR_BODY", "PR_TITLE", "BLANK"];
+/**
+ * Validates GitHub repository settings.
+ */
+function validateRepoSettings(repo, context) {
+    if (typeof repo !== "object" || repo === null || Array.isArray(repo)) {
+        throw new Error(`${context}: repo must be an object`);
+    }
+    const r = repo;
+    // Validate boolean fields
+    const booleanFields = [
+        "hasIssues",
+        "hasProjects",
+        "hasWiki",
+        "hasDiscussions",
+        "isTemplate",
+        "allowForking",
+        "archived",
+        "allowSquashMerge",
+        "allowMergeCommit",
+        "allowRebaseMerge",
+        "allowAutoMerge",
+        "deleteBranchOnMerge",
+        "allowUpdateBranch",
+        "vulnerabilityAlerts",
+        "automatedSecurityFixes",
+        "secretScanning",
+        "secretScanningPushProtection",
+        "privateVulnerabilityReporting",
+    ];
+    for (const field of booleanFields) {
+        if (r[field] !== undefined && typeof r[field] !== "boolean") {
+            throw new Error(`${context}: ${field} must be a boolean`);
+        }
+    }
+    // Validate enum fields
+    if (r.visibility !== undefined &&
+        !VALID_VISIBILITY.includes(r.visibility)) {
+        throw new Error(`${context}: visibility must be one of: ${VALID_VISIBILITY.join(", ")}`);
+    }
+    if (r.squashMergeCommitTitle !== undefined &&
+        !VALID_SQUASH_MERGE_COMMIT_TITLE.includes(r.squashMergeCommitTitle)) {
+        throw new Error(`${context}: squashMergeCommitTitle must be one of: ${VALID_SQUASH_MERGE_COMMIT_TITLE.join(", ")}`);
+    }
+    if (r.squashMergeCommitMessage !== undefined &&
+        !VALID_SQUASH_MERGE_COMMIT_MESSAGE.includes(r.squashMergeCommitMessage)) {
+        throw new Error(`${context}: squashMergeCommitMessage must be one of: ${VALID_SQUASH_MERGE_COMMIT_MESSAGE.join(", ")}`);
+    }
+    if (r.mergeCommitTitle !== undefined &&
+        !VALID_MERGE_COMMIT_TITLE.includes(r.mergeCommitTitle)) {
+        throw new Error(`${context}: mergeCommitTitle must be one of: ${VALID_MERGE_COMMIT_TITLE.join(", ")}`);
+    }
+    if (r.mergeCommitMessage !== undefined &&
+        !VALID_MERGE_COMMIT_MESSAGE.includes(r.mergeCommitMessage)) {
+        throw new Error(`${context}: mergeCommitMessage must be one of: ${VALID_MERGE_COMMIT_MESSAGE.join(", ")}`);
+    }
+}
+// =============================================================================
 // Ruleset Validation
 // =============================================================================
 const VALID_RULESET_TARGETS = ["branch", "tag"];
@@ -515,6 +583,10 @@ export function validateSettings(settings, context, rootRulesetNames) {
     if (s.deleteOrphaned !== undefined && typeof s.deleteOrphaned !== "boolean") {
         throw new Error(`${context}: settings.deleteOrphaned must be a boolean`);
     }
+    // Validate repo settings
+    if (s.repo !== undefined) {
+        validateRepoSettings(s.repo, context);
+    }
 }
 // =============================================================================
 // Command-Specific Validators
@@ -545,8 +617,10 @@ export function hasActionableSettings(settings) {
     if (settings.rulesets && Object.keys(settings.rulesets).length > 0) {
         return true;
     }
-    // Future: check for repoConfig, creation, etc.
-    // if (settings.repoConfig) return true;
+    // Check for repo settings
+    if (settings.repo && Object.keys(settings.repo).length > 0) {
+        return true;
+    }
     return false;
 }
 /**

package/dist/config.d.ts

@@ -210,9 +210,51 @@ export interface Ruleset {
     /** Rules to enforce */
     rules?: RulesetRule[];
 }
+/** Squash merge commit title format */
+export type SquashMergeCommitTitle = "PR_TITLE" | "COMMIT_OR_PR_TITLE";
+/** Squash merge commit message format */
+export type SquashMergeCommitMessage = "PR_BODY" | "COMMIT_MESSAGES" | "BLANK";
+/** Merge commit title format */
+export type MergeCommitTitle = "PR_TITLE" | "MERGE_MESSAGE";
+/** Merge commit message format */
+export type MergeCommitMessage = "PR_BODY" | "PR_TITLE" | "BLANK";
+/** Repository visibility */
+export type RepoVisibility = "public" | "private" | "internal";
+/**
+ * GitHub repository settings configuration.
+ * All properties are optional - only specified properties are applied.
+ * @see https://docs.github.com/en/rest/repos/repos#update-a-repository
+ */
+export interface GitHubRepoSettings {
+    hasIssues?: boolean;
+    hasProjects?: boolean;
+    hasWiki?: boolean;
+    hasDiscussions?: boolean;
+    isTemplate?: boolean;
+    allowForking?: boolean;
+    visibility?: RepoVisibility;
+    archived?: boolean;
+    allowSquashMerge?: boolean;
+    allowMergeCommit?: boolean;
+    allowRebaseMerge?: boolean;
+    allowAutoMerge?: boolean;
+    deleteBranchOnMerge?: boolean;
+    allowUpdateBranch?: boolean;
+    squashMergeCommitTitle?: SquashMergeCommitTitle;
+    squashMergeCommitMessage?: SquashMergeCommitMessage;
+    mergeCommitTitle?: MergeCommitTitle;
+    mergeCommitMessage?: MergeCommitMessage;
+    vulnerabilityAlerts?: boolean;
+    automatedSecurityFixes?: boolean;
+    secretScanning?: boolean;
+    secretScanningPushProtection?: boolean;
+    privateVulnerabilityReporting?: boolean;
+}
 export interface RepoSettings {
     /** GitHub rulesets keyed by name */
     rulesets?: Record<string, Ruleset>;
+    /** GitHub repository settings */
+    repo?: GitHubRepoSettings;
     deleteOrphaned?: boolean;
 }
 export type ContentValue = Record<string, unknown> | string | string[];
@@ -242,6 +284,7 @@ export interface RawRepoSettings {
     rulesets?: Record<string, Ruleset | false> & {
         inherit?: boolean;
     };
+    repo?: GitHubRepoSettings;
     deleteOrphaned?: boolean;
 }
 export interface RawRepoConfig {

package/dist/index.d.ts

@@ -6,6 +6,7 @@ import { RepoConfig } from "./config.js";
 import { RepoInfo } from "./repo-detector.js";
 import { ProcessorOptions } from "./repository-processor.js";
 import { RulesetProcessorOptions, RulesetProcessorResult } from "./ruleset-processor.js";
+import { IRepoSettingsProcessor } from "./repo-settings-processor.js";
 /**
  * Processor interface for dependency injection in tests.
  */
@@ -38,6 +39,14 @@ export type RulesetProcessorFactory = () => IRulesetProcessor;
  * Default factory that creates a real RulesetProcessor.
  */
 export declare const defaultRulesetProcessorFactory: RulesetProcessorFactory;
+/**
+ * Repo settings processor factory function type.
+ */
+export type RepoSettingsProcessorFactory = () => IRepoSettingsProcessor;
+/**
+ * Default factory that creates a real RepoSettingsProcessor.
+ */
+export declare const defaultRepoSettingsProcessorFactory: RepoSettingsProcessorFactory;
 interface SharedOptions {
     config: string;
     dryRun?: boolean;
@@ -53,5 +62,5 @@ interface SyncOptions extends SharedOptions {
 }
 type SettingsOptions = SharedOptions;
 export declare function runSync(options: SyncOptions, processorFactory?: ProcessorFactory): Promise<void>;
-export declare function runSettings(options: SettingsOptions, processorFactory?: RulesetProcessorFactory, repoProcessorFactory?: ProcessorFactory): Promise<void>;
+export declare function runSettings(options: SettingsOptions, processorFactory?: RulesetProcessorFactory, repoProcessorFactory?: ProcessorFactory, repoSettingsProcessorFactory?: RepoSettingsProcessorFactory): Promise<void>;
 export { program };

package/dist/index.js

@@ -20,6 +20,7 @@ import { buildRepoResult, buildErrorResult } from "./summary-utils.js";
 import { RulesetProcessor, } from "./ruleset-processor.js";
 import { getManagedRulesets } from "./manifest.js";
 import { isGitHubRepo } from "./repo-detector.js";
+import { RepoSettingsProcessor, } from "./repo-settings-processor.js";
 /**
  * Default factory that creates a real RepositoryProcessor.
  */
@@ -28,6 +29,10 @@ export const defaultProcessorFactory = () => new RepositoryProcessor();
  * Default factory that creates a real RulesetProcessor.
  */
 export const defaultRulesetProcessorFactory = () => new RulesetProcessor();
+/**
+ * Default factory that creates a real RepoSettingsProcessor.
+ */
+export const defaultRepoSettingsProcessorFactory = () => new RepoSettingsProcessor();
 /**
  * Adds shared options to a command.
  */
@@ -182,7 +187,7 @@ export async function runSync(options, processorFactory = defaultProcessorFactor
 // =============================================================================
 // Settings Command
 // =============================================================================
-export async function runSettings(options, processorFactory = defaultRulesetProcessorFactory, repoProcessorFactory = defaultProcessorFactory) {
+export async function runSettings(options, processorFactory = defaultRulesetProcessorFactory, repoProcessorFactory = defaultProcessorFactory, repoSettingsProcessorFactory = defaultRepoSettingsProcessorFactory) {
     const configPath = resolve(options.config);
     if (!existsSync(configPath)) {
         console.error(`Config file not found: ${configPath}`);
@@ -204,12 +209,20 @@ export async function runSettings(options, processorFactory = defaultRulesetProc
     const config = normalizeConfig(rawConfig);
     // Check if any repos have rulesets configured or have managed rulesets to clean up
     const reposWithRulesets = config.repos.filter((r) => r.settings?.rulesets && Object.keys(r.settings.rulesets).length > 0);
-    if (reposWithRulesets.length === 0) {
-        console.log("No rulesets configured. Add settings.rulesets to your config to manage GitHub Rulesets.");
+    // Check if any repos have repo settings configured
+    const reposWithRepoSettings = config.repos.filter((r) => r.settings?.repo && Object.keys(r.settings.repo).length > 0);
+    if (reposWithRulesets.length === 0 && reposWithRepoSettings.length === 0) {
+        console.log("No settings configured. Add settings.rulesets or settings.repo to your config.");
         return;
     }
-    console.log(`Found ${reposWithRulesets.length} repositories with rulesets\n`);
-    logger.setTotal(reposWithRulesets.length);
+    if (reposWithRulesets.length > 0) {
+        console.log(`Found ${reposWithRulesets.length} repositories with rulesets`);
+    }
+    if (reposWithRepoSettings.length > 0) {
+        console.log(`Found ${reposWithRepoSettings.length} repositories with repo settings`);
+    }
+    console.log("");
+    logger.setTotal(reposWithRulesets.length + reposWithRepoSettings.length);
     const processor = processorFactory();
     const repoProcessor = repoProcessorFactory();
     const results = [];
@@ -319,6 +332,58 @@ export async function runSettings(options, processorFactory = defaultRulesetProc
             failCount++;
         }
     }
+    // Process repo settings
+    if (reposWithRepoSettings.length > 0) {
+        const repoSettingsProcessor = repoSettingsProcessorFactory();
+        console.log(`\nProcessing repo settings for ${reposWithRepoSettings.length} repositories\n`);
+        for (let i = 0; i < reposWithRepoSettings.length; i++) {
+            const repoConfig = reposWithRepoSettings[i];
+            let repoInfo;
+            try {
+                repoInfo = parseGitUrl(repoConfig.git, {
+                    githubHosts: config.githubHosts,
+                });
+            }
+            catch (error) {
+                console.error(`Failed to parse ${repoConfig.git}: ${error}`);
+                failCount++;
+                continue;
+            }
+            const repoName = getRepoDisplayName(repoInfo);
+            try {
+                const result = await repoSettingsProcessor.process(repoConfig, repoInfo, {
+                    dryRun: options.dryRun,
+                });
+                if (result.planOutput && result.planOutput.lines.length > 0) {
+                    console.log(`\n  ${chalk.bold(repoName)}:`);
+                    console.log("  Repo Settings:");
+                    for (const line of result.planOutput.lines) {
+                        console.log(line);
+                    }
+                    if (result.warnings && result.warnings.length > 0) {
+                        for (const warning of result.warnings) {
+                            console.log(chalk.yellow(`  ⚠️  Warning: ${warning}`));
+                        }
+                    }
+                }
+                if (result.skipped) {
+                    // Silent skip for repos without repo settings
+                }
+                else if (result.success) {
+                    console.log(chalk.green(`  ✓ ${repoName}: ${result.message}`));
+                    successCount++;
+                }
+                else {
+                    console.log(chalk.red(`  ✗ ${repoName}: ${result.message}`));
+                    failCount++;
+                }
+            }
+            catch (error) {
+                console.error(`  ✗ ${repoName}: ${error}`);
+                failCount++;
+            }
+        }
+    }
     // Multi-repo summary for dry-run mode
     if (options.dryRun && reposWithChanges > 0) {
         console.log("");
@@ -337,7 +402,7 @@ export async function runSettings(options, processorFactory = defaultRulesetProc
     console.log(`Completed: ${successCount} succeeded, ${skipCount} skipped, ${failCount} failed`);
     // Write GitHub Actions job summary if available
     writeSummary({
-        total: reposWithRulesets.length,
+        total: reposWithRulesets.length + reposWithRepoSettings.length,
         succeeded: successCount,
         skipped: skipCount,
         failed: failCount,

package/dist/repo-settings-diff.d.ts

@@ -0,0 +1,18 @@
+import type { GitHubRepoSettings } from "./config.js";
+import type { CurrentRepoSettings } from "./strategies/repo-settings-strategy.js";
+export type RepoSettingsAction = "add" | "change" | "unchanged";
+export interface RepoSettingsChange {
+    property: keyof GitHubRepoSettings;
+    action: RepoSettingsAction;
+    oldValue?: unknown;
+    newValue?: unknown;
+}
+/**
+ * Compares current repository settings with desired settings.
+ * Only compares properties that are explicitly set in desired.
+ */
+export declare function diffRepoSettings(current: CurrentRepoSettings, desired: GitHubRepoSettings): RepoSettingsChange[];
+/**
+ * Checks if there are any changes to apply.
+ */
+export declare function hasChanges(changes: RepoSettingsChange[]): boolean;

package/dist/repo-settings-diff.js

@@ -0,0 +1,84 @@
+/**
+ * Maps config property names (camelCase) to GitHub API property names (snake_case).
+ */
+const PROPERTY_MAPPING = {
+    hasIssues: "has_issues",
+    hasProjects: "has_projects",
+    hasWiki: "has_wiki",
+    hasDiscussions: "has_discussions",
+    isTemplate: "is_template",
+    allowForking: "allow_forking",
+    visibility: "visibility",
+    archived: "archived",
+    allowSquashMerge: "allow_squash_merge",
+    allowMergeCommit: "allow_merge_commit",
+    allowRebaseMerge: "allow_rebase_merge",
+    allowAutoMerge: "allow_auto_merge",
+    deleteBranchOnMerge: "delete_branch_on_merge",
+    allowUpdateBranch: "allow_update_branch",
+    squashMergeCommitTitle: "squash_merge_commit_title",
+    squashMergeCommitMessage: "squash_merge_commit_message",
+    mergeCommitTitle: "merge_commit_title",
+    mergeCommitMessage: "merge_commit_message",
+    vulnerabilityAlerts: "_vulnerability_alerts",
+    automatedSecurityFixes: "_automated_security_fixes",
+    secretScanning: "_secret_scanning",
+    secretScanningPushProtection: "_secret_scanning_push_protection",
+    privateVulnerabilityReporting: "_private_vulnerability_reporting",
+};
+/**
+ * Gets the current value for a property from GitHub API response.
+ */
+function getCurrentValue(current, property) {
+    const apiKey = PROPERTY_MAPPING[property];
+    // Handle security_and_analysis nested properties
+    if (apiKey === "_secret_scanning") {
+        return current.security_and_analysis?.secret_scanning?.status === "enabled";
+    }
+    if (apiKey === "_secret_scanning_push_protection") {
+        return (current.security_and_analysis?.secret_scanning_push_protection?.status ===
+            "enabled");
+    }
+    // These require separate API calls to check, return undefined
+    if (apiKey.startsWith("_")) {
+        return undefined;
+    }
+    return current[apiKey];
+}
+/**
+ * Compares current repository settings with desired settings.
+ * Only compares properties that are explicitly set in desired.
+ */
+export function diffRepoSettings(current, desired) {
+    const changes = [];
+    for (const [key, desiredValue] of Object.entries(desired)) {
+        if (desiredValue === undefined)
+            continue;
+        const property = key;
+        const currentValue = getCurrentValue(current, property);
+        if (currentValue === undefined) {
+            // Property not currently set or unknown
+            changes.push({
+                property,
+                action: "add",
+                newValue: desiredValue,
+            });
+        }
+        else if (currentValue !== desiredValue) {
+            changes.push({
+                property,
+                action: "change",
+                oldValue: currentValue,
+                newValue: desiredValue,
+            });
+        }
+        // unchanged properties are not included
+    }
+    return changes;
+}
+/**
+ * Checks if there are any changes to apply.
+ */
+export function hasChanges(changes) {
+    return changes.some((c) => c.action !== "unchanged");
+}

package/dist/repo-settings-plan-formatter.d.ts

@@ -0,0 +1,15 @@
+import type { RepoSettingsChange } from "./repo-settings-diff.js";
+export interface RepoSettingsPlanResult {
+    lines: string[];
+    adds: number;
+    changes: number;
+    warnings: string[];
+}
+/**
+ * Formats repo settings changes as Terraform-style plan output.
+ */
+export declare function formatRepoSettingsPlan(changes: RepoSettingsChange[]): RepoSettingsPlanResult;
+/**
+ * Formats warnings for display.
+ */
+export declare function formatWarnings(warnings: string[]): string[];

package/dist/repo-settings-plan-formatter.js

@@ -0,0 +1,66 @@
+import chalk from "chalk";
+/**
+ * Format a value for display.
+ */
+function formatValue(val) {
+    if (val === null)
+        return "null";
+    if (val === undefined)
+        return "undefined";
+    if (typeof val === "string")
+        return `"${val}"`;
+    if (typeof val === "boolean")
+        return val ? "true" : "false";
+    return String(val);
+}
+/**
+ * Get warning message for a property change.
+ */
+function getWarning(change) {
+    if (change.property === "visibility") {
+        return `visibility change (${change.oldValue} → ${change.newValue}) may expose or hide repository`;
+    }
+    if (change.property === "archived" && change.newValue === true) {
+        return "archiving makes repository read-only";
+    }
+    if ((change.property === "hasIssues" ||
+        change.property === "hasWiki" ||
+        change.property === "hasProjects") &&
+        change.newValue === false) {
+        return `disabling ${change.property} may hide existing content`;
+    }
+    return undefined;
+}
+/**
+ * Formats repo settings changes as Terraform-style plan output.
+ */
+export function formatRepoSettingsPlan(changes) {
+    const lines = [];
+    const warnings = [];
+    let adds = 0;
+    let changesCount = 0;
+    if (changes.length === 0) {
+        return { lines, adds, changes: 0, warnings };
+    }
+    for (const change of changes) {
+        const warning = getWarning(change);
+        if (warning) {
+            warnings.push(warning);
+        }
+        if (change.action === "add") {
+            lines.push(chalk.green(`    + ${change.property}: ${formatValue(change.newValue)}`));
+            adds++;
+        }
+        else if (change.action === "change") {
+            lines.push(chalk.yellow(`    ~ ${change.property}: ${formatValue(change.oldValue)} → ${formatValue(change.newValue)}`));
+            changesCount++;
+        }
+    }
+    return { lines, adds, changes: changesCount, warnings };
+}
+/**
+ * Formats warnings for display.
+ */
+export function formatWarnings(warnings) {
+    return warnings.map((w) => chalk.yellow(`  ⚠️  Warning: ${w}`));
+}

package/dist/repo-settings-processor.d.ts

@@ -0,0 +1,30 @@
+import type { RepoConfig } from "./config.js";
+import type { RepoInfo } from "./repo-detector.js";
+import type { IRepoSettingsStrategy } from "./strategies/repo-settings-strategy.js";
+import { RepoSettingsPlanResult } from "./repo-settings-plan-formatter.js";
+export interface IRepoSettingsProcessor {
+    process(repoConfig: RepoConfig, repoInfo: RepoInfo, options: RepoSettingsProcessorOptions): Promise<RepoSettingsProcessorResult>;
+}
+export interface RepoSettingsProcessorOptions {
+    dryRun?: boolean;
+    token?: string;
+}
+export interface RepoSettingsProcessorResult {
+    success: boolean;
+    repoName: string;
+    message: string;
+    skipped?: boolean;
+    dryRun?: boolean;
+    changes?: {
+        adds: number;
+        changes: number;
+    };
+    warnings?: string[];
+    planOutput?: RepoSettingsPlanResult;
+}
+export declare class RepoSettingsProcessor implements IRepoSettingsProcessor {
+    private readonly strategy;
+    constructor(strategy?: IRepoSettingsStrategy);
+    process(repoConfig: RepoConfig, repoInfo: RepoInfo, options: RepoSettingsProcessorOptions): Promise<RepoSettingsProcessorResult>;
+    private applyChanges;
+}

package/dist/repo-settings-processor.js

@@ -0,0 +1,96 @@
+import { isGitHubRepo, getRepoDisplayName } from "./repo-detector.js";
+import { GitHubRepoSettingsStrategy } from "./strategies/github-repo-settings-strategy.js";
+import { diffRepoSettings, hasChanges } from "./repo-settings-diff.js";
+import { formatRepoSettingsPlan, } from "./repo-settings-plan-formatter.js";
+export class RepoSettingsProcessor {
+    strategy;
+    constructor(strategy) {
+        this.strategy = strategy ?? new GitHubRepoSettingsStrategy();
+    }
+    async process(repoConfig, repoInfo, options) {
+        const repoName = getRepoDisplayName(repoInfo);
+        const { dryRun, token } = options;
+        // Check if this is a GitHub repo
+        if (!isGitHubRepo(repoInfo)) {
+            return {
+                success: true,
+                repoName,
+                message: `Skipped: ${repoName} is not a GitHub repository`,
+                skipped: true,
+            };
+        }
+        const githubRepo = repoInfo;
+        const desiredSettings = repoConfig.settings?.repo;
+        // If no repo settings configured, skip
+        if (!desiredSettings || Object.keys(desiredSettings).length === 0) {
+            return {
+                success: true,
+                repoName,
+                message: "No repo settings configured",
+                skipped: true,
+            };
+        }
+        try {
+            const strategyOptions = { token, host: githubRepo.host };
+            // Fetch current settings
+            const currentSettings = await this.strategy.getSettings(githubRepo, strategyOptions);
+            // Compute diff
+            const changes = diffRepoSettings(currentSettings, desiredSettings);
+            if (!hasChanges(changes)) {
+                return {
+                    success: true,
+                    repoName,
+                    message: "No changes needed",
+                    changes: { adds: 0, changes: 0 },
+                };
+            }
+            // Format plan output
+            const planOutput = formatRepoSettingsPlan(changes);
+            // Dry run mode - report planned changes without applying
+            if (dryRun) {
+                return {
+                    success: true,
+                    repoName,
+                    message: `[DRY RUN] ${planOutput.adds} to add, ${planOutput.changes} to change`,
+                    dryRun: true,
+                    changes: { adds: planOutput.adds, changes: planOutput.changes },
+                    warnings: planOutput.warnings,
+                    planOutput,
+                };
+            }
+            // Apply changes
+            await this.applyChanges(githubRepo, desiredSettings, strategyOptions);
+            return {
+                success: true,
+                repoName,
+                message: `Applied: ${planOutput.adds} added, ${planOutput.changes} changed`,
+                changes: { adds: planOutput.adds, changes: planOutput.changes },
+                warnings: planOutput.warnings,
+            };
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            return {
+                success: false,
+                repoName,
+                message: `Failed: ${message}`,
+            };
+        }
+    }
+    async applyChanges(repoInfo, settings, options) {
+        // Extract settings that need separate API calls
+        const { vulnerabilityAlerts, automatedSecurityFixes, ...mainSettings } = settings;
+        // Update main settings via PATCH /repos
+        if (Object.keys(mainSettings).length > 0) {
+            await this.strategy.updateSettings(repoInfo, mainSettings, options);
+        }
+        // Handle vulnerability alerts (separate endpoint)
+        if (vulnerabilityAlerts !== undefined) {
+            await this.strategy.setVulnerabilityAlerts(repoInfo, vulnerabilityAlerts, options);
+        }
+        // Handle automated security fixes (separate endpoint)
+        if (automatedSecurityFixes !== undefined) {
+            await this.strategy.setAutomatedSecurityFixes(repoInfo, automatedSecurityFixes, options);
+        }
+    }
+}

package/dist/strategies/github-repo-settings-strategy.d.ts

@@ -0,0 +1,20 @@
+import { ICommandExecutor } from "../command-executor.js";
+import { RepoInfo } from "../repo-detector.js";
+import type { GitHubRepoSettings } from "../config.js";
+import type { IRepoSettingsStrategy, RepoSettingsStrategyOptions, CurrentRepoSettings } from "./repo-settings-strategy.js";
+/**
+ * GitHub Repository Settings Strategy.
+ * Manages repository settings via GitHub REST API using `gh api` CLI.
+ * Note: Uses exec via ICommandExecutor for gh CLI integration, consistent
+ * with other strategies in this codebase. Inputs are escaped via escapeShellArg.
+ */
+export declare class GitHubRepoSettingsStrategy implements IRepoSettingsStrategy {
+    private executor;
+    constructor(executor?: ICommandExecutor);
+    getSettings(repoInfo: RepoInfo, options?: RepoSettingsStrategyOptions): Promise<CurrentRepoSettings>;
+    updateSettings(repoInfo: RepoInfo, settings: GitHubRepoSettings, options?: RepoSettingsStrategyOptions): Promise<void>;
+    setVulnerabilityAlerts(repoInfo: RepoInfo, enable: boolean, options?: RepoSettingsStrategyOptions): Promise<void>;
+    setAutomatedSecurityFixes(repoInfo: RepoInfo, enable: boolean, options?: RepoSettingsStrategyOptions): Promise<void>;
+    private validateGitHub;
+    private ghApi;
+}

package/dist/strategies/github-repo-settings-strategy.js

@@ -0,0 +1,131 @@
+import { defaultExecutor } from "../command-executor.js";
+import { isGitHubRepo } from "../repo-detector.js";
+import { escapeShellArg } from "../shell-utils.js";
+/**
+ * Converts camelCase to snake_case.
+ */
+function camelToSnake(str) {
+    return str.replace(/([A-Z])/g, "_$1").toLowerCase();
+}
+/**
+ * Converts GitHubRepoSettings (camelCase) to GitHub API format (snake_case).
+ */
+function configToGitHubPayload(settings) {
+    const payload = {};
+    // Map config properties to API properties
+    const directMappings = [
+        "hasIssues",
+        "hasProjects",
+        "hasWiki",
+        "hasDiscussions",
+        "isTemplate",
+        "allowForking",
+        "visibility",
+        "archived",
+        "allowSquashMerge",
+        "allowMergeCommit",
+        "allowRebaseMerge",
+        "allowAutoMerge",
+        "deleteBranchOnMerge",
+        "allowUpdateBranch",
+        "squashMergeCommitTitle",
+        "squashMergeCommitMessage",
+        "mergeCommitTitle",
+        "mergeCommitMessage",
+    ];
+    for (const key of directMappings) {
+        if (settings[key] !== undefined) {
+            payload[camelToSnake(key)] = settings[key];
+        }
+    }
+    // Handle security_and_analysis for secret scanning
+    if (settings.secretScanning !== undefined ||
+        settings.secretScanningPushProtection !== undefined) {
+        payload.security_and_analysis = {
+            ...(settings.secretScanning !== undefined && {
+                secret_scanning: {
+                    status: settings.secretScanning ? "enabled" : "disabled",
+                },
+            }),
+            ...(settings.secretScanningPushProtection !== undefined && {
+                secret_scanning_push_protection: {
+                    status: settings.secretScanningPushProtection
+                        ? "enabled"
+                        : "disabled",
+                },
+            }),
+        };
+    }
+    return payload;
+}
+/**
+ * GitHub Repository Settings Strategy.
+ * Manages repository settings via GitHub REST API using `gh api` CLI.
+ * Note: Uses exec via ICommandExecutor for gh CLI integration, consistent
+ * with other strategies in this codebase. Inputs are escaped via escapeShellArg.
+ */
+export class GitHubRepoSettingsStrategy {
+    executor;
+    constructor(executor) {
+        this.executor = executor ?? defaultExecutor;
+    }
+    async getSettings(repoInfo, options) {
+        this.validateGitHub(repoInfo);
+        const github = repoInfo;
+        const endpoint = `/repos/${github.owner}/${github.repo}`;
+        const result = await this.ghApi("GET", endpoint, undefined, options);
+        return JSON.parse(result);
+    }
+    async updateSettings(repoInfo, settings, options) {
+        this.validateGitHub(repoInfo);
+        const github = repoInfo;
+        const payload = configToGitHubPayload(settings);
+        // Skip if no settings to update
+        if (Object.keys(payload).length === 0) {
+            return;
+        }
+        const endpoint = `/repos/${github.owner}/${github.repo}`;
+        await this.ghApi("PATCH", endpoint, payload, options);
+    }
+    async setVulnerabilityAlerts(repoInfo, enable, options) {
+        this.validateGitHub(repoInfo);
+        const github = repoInfo;
+        const endpoint = `/repos/${github.owner}/${github.repo}/vulnerability-alerts`;
+        const method = enable ? "PUT" : "DELETE";
+        await this.ghApi(method, endpoint, undefined, options);
+    }
+    async setAutomatedSecurityFixes(repoInfo, enable, options) {
+        this.validateGitHub(repoInfo);
+        const github = repoInfo;
+        const endpoint = `/repos/${github.owner}/${github.repo}/automated-security-fixes`;
+        const method = enable ? "PUT" : "DELETE";
+        await this.ghApi(method, endpoint, undefined, options);
+    }
+    validateGitHub(repoInfo) {
+        if (!isGitHubRepo(repoInfo)) {
+            throw new Error(`GitHub Repo Settings strategy requires GitHub repositories. Got: ${repoInfo.type}`);
+        }
+    }
+    async ghApi(method, endpoint, payload, options) {
+        const args = ["gh", "api"];
+        if (method !== "GET") {
+            args.push("-X", method);
+        }
+        if (options?.host && options.host !== "github.com") {
+            args.push("--hostname", escapeShellArg(options.host));
+        }
+        args.push(escapeShellArg(endpoint));
+        const baseCommand = args.join(" ");
+        const tokenPrefix = options?.token
+            ? `GH_TOKEN=${escapeShellArg(options.token)} `
+            : "";
+        if (payload &&
+            (method === "POST" || method === "PUT" || method === "PATCH")) {
+            const payloadJson = JSON.stringify(payload);
+            const command = `echo ${escapeShellArg(payloadJson)} | ${tokenPrefix}${baseCommand} --input -`;
+            return await this.executor.exec(command, process.cwd());
+        }
+        const command = `${tokenPrefix}${baseCommand}`;
+        return await this.executor.exec(command, process.cwd());
+    }
+}

package/dist/strategies/repo-settings-strategy.d.ts

@@ -0,0 +1,62 @@
+import type { RepoInfo } from "../repo-detector.js";
+import type { GitHubRepoSettings } from "../config.js";
+export interface RepoSettingsStrategyOptions {
+    token?: string;
+    host?: string;
+}
+/**
+ * Current repository settings from GitHub API (snake_case).
+ */
+export interface CurrentRepoSettings {
+    has_issues?: boolean;
+    has_projects?: boolean;
+    has_wiki?: boolean;
+    has_discussions?: boolean;
+    is_template?: boolean;
+    allow_forking?: boolean;
+    visibility?: string;
+    archived?: boolean;
+    allow_squash_merge?: boolean;
+    allow_merge_commit?: boolean;
+    allow_rebase_merge?: boolean;
+    allow_auto_merge?: boolean;
+    delete_branch_on_merge?: boolean;
+    allow_update_branch?: boolean;
+    squash_merge_commit_title?: string;
+    squash_merge_commit_message?: string;
+    merge_commit_title?: string;
+    merge_commit_message?: string;
+    security_and_analysis?: {
+        secret_scanning?: {
+            status: string;
+        };
+        secret_scanning_push_protection?: {
+            status: string;
+        };
+        secret_scanning_validity_checks?: {
+            status: string;
+        };
+    };
+}
+export interface IRepoSettingsStrategy {
+    /**
+     * Gets current repository settings.
+     */
+    getSettings(repoInfo: RepoInfo, options?: RepoSettingsStrategyOptions): Promise<CurrentRepoSettings>;
+    /**
+     * Updates repository settings.
+     */
+    updateSettings(repoInfo: RepoInfo, settings: GitHubRepoSettings, options?: RepoSettingsStrategyOptions): Promise<void>;
+    /**
+     * Enables or disables vulnerability alerts.
+     */
+    setVulnerabilityAlerts(repoInfo: RepoInfo, enable: boolean, options?: RepoSettingsStrategyOptions): Promise<void>;
+    /**
+     * Enables or disables automated security fixes.
+     */
+    setAutomatedSecurityFixes(repoInfo: RepoInfo, enable: boolean, options?: RepoSettingsStrategyOptions): Promise<void>;
+}
+/**
+ * Type guard to check if an object implements IRepoSettingsStrategy.
+ */
+export declare function isRepoSettingsStrategy(obj: unknown): obj is IRepoSettingsStrategy;

package/dist/strategies/repo-settings-strategy.js

@@ -0,0 +1,13 @@
+/**
+ * Type guard to check if an object implements IRepoSettingsStrategy.
+ */
+export function isRepoSettingsStrategy(obj) {
+    if (typeof obj !== "object" || obj === null) {
+        return false;
+    }
+    const strategy = obj;
+    return (typeof strategy.getSettings === "function" &&
+        typeof strategy.updateSettings === "function" &&
+        typeof strategy.setVulnerabilityAlerts === "function" &&
+        typeof strategy.setAutomatedSecurityFixes === "function");
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aspruyt/xfg",
-  "version": "3.4.0",
+  "version": "3.5.1",
   "description": "CLI tool for repository-as-code",
   "type": "module",
   "main": "dist/index.js",
@@ -32,7 +32,8 @@
     "test:integration:ado": "npm run build && node --import tsx --test test/integration/ado.test.ts",
     "test:integration:gitlab": "npm run build && node --import tsx --test test/integration/gitlab.test.ts",
     "test:integration:github-app": "npm run build && node --import tsx --test test/integration/github-app.test.ts",
-    "test:integration:github-settings": "npm run build && node --import tsx --test test/integration/github-settings.test.ts",
+    "test:integration:github-rulesets": "npm run build && node --import tsx --test test/integration/github-rulesets.test.ts",
+    "test:integration:github-repo-settings": "npm run build && node --import tsx --test test/integration/github-repo-settings.test.ts",
     "prepublishOnly": "npm run build"
   },
   "keywords": [