npm - @aspruyt/xfg - Versions diffs - 3.9.6 → 3.9.9 - Mend

@aspruyt/xfg 3.9.6 → 3.9.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/cli/settings-command.js +2 -0
package/dist/settings/repo-settings/github-repo-settings-strategy.js +16 -4
package/dist/settings/repo-settings/processor.d.ts +5 -0
package/dist/settings/repo-settings/processor.js +38 -0
package/dist/settings/repo-settings/types.d.ts +1 -0
package/package.json +1 -1

package/dist/cli/settings-command.js CHANGED Viewed

@@ -167,6 +167,7 @@ async function processRulesets(repos, config, options, processor, repoProcessor,
             }
             else {
                 logger.error(i + 1, repoName, result.message);
+                collector.appendError(repoName, result.message);
             }
             results.push({
                 repoName,
@@ -240,6 +241,7 @@ async function processRepoSettings(repos, config, options, processorFactory, res
             }
             else {
                 logger.error(current, repoName, result.message);
+                collector.appendError(repoName, result.message);
             }
             if (!result.skipped) {
                 const existing = results.find((r) => r.repoName === repoName);

package/dist/settings/repo-settings/github-repo-settings-strategy.js CHANGED Viewed

@@ -78,7 +78,10 @@ export class GitHubRepoSettingsStrategy {
         const github = repoInfo;
         const endpoint = `/repos/${github.owner}/${github.repo}`;
         const result = await this.ghApi("GET", endpoint, undefined, options);
-        const settings = JSON.parse(result);
+        const parsed = JSON.parse(result);
+        const settings = parsed;
+        // Extract owner type from nested API response
+        settings.owner_type = parsed.owner?.type;
         // Fetch security settings from separate endpoints
         settings.vulnerability_alerts = await this.getVulnerabilityAlerts(github, options);
         // Pass vulnerability_alerts state - automated security fixes requires it enabled
@@ -156,9 +159,18 @@ export class GitHubRepoSettingsStrategy {
     }
     async getPrivateVulnerabilityReporting(github, options) {
         const endpoint = `/repos/${github.owner}/${github.repo}/private-vulnerability-reporting`;
-        const result = await this.ghApi("GET", endpoint, undefined, options);
-        const data = JSON.parse(result);
-        return data.enabled === true;
+        try {
+            const result = await this.ghApi("GET", endpoint, undefined, options);
+            const data = JSON.parse(result);
+            return data.enabled === true;
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            if (message.includes("HTTP 404")) {
+                return false; // 404 = not available (e.g. private repos)
+            }
+            throw error; // Re-throw other errors
+        }
     }
     validateGitHub(repoInfo) {
         if (!isGitHubRepo(repoInfo)) {

package/dist/settings/repo-settings/processor.d.ts CHANGED Viewed

@@ -28,6 +28,11 @@ export declare class RepoSettingsProcessor implements IRepoSettingsProcessor {
     constructor(strategy?: IRepoSettingsStrategy);
     process(repoConfig: RepoConfig, repoInfo: RepoInfo, options: RepoSettingsProcessorOptions): Promise<RepoSettingsProcessorResult>;
     private applyChanges;
+    /**
+     * Validates that desired security settings are compatible with the repo's
+     * visibility and owner type. Returns error messages for incompatible settings.
+     */
+    private validateSecuritySettings;
     /**
      * Resolves a GitHub App installation token for the given repo.
      * Returns undefined if no token manager or token resolution fails.

package/dist/settings/repo-settings/processor.js CHANGED Viewed

@@ -45,6 +45,15 @@ export class RepoSettingsProcessor {
             const strategyOptions = { token: effectiveToken, host: githubRepo.host };
             // Fetch current settings
             const currentSettings = await this.strategy.getSettings(githubRepo, strategyOptions);
+            // Validate security settings compatibility
+            const securityErrors = this.validateSecuritySettings(desiredSettings, currentSettings);
+            if (securityErrors.length > 0) {
+                return {
+                    success: false,
+                    repoName,
+                    message: `Failed: ${securityErrors.join("; ")}`,
+                };
+            }
             // Compute diff
             const changes = diffRepoSettings(currentSettings, desiredSettings);
             if (!hasChanges(changes)) {
@@ -117,6 +126,35 @@ export class RepoSettingsProcessor {
             await this.strategy.setAutomatedSecurityFixes(repoInfo, automatedSecurityFixes, options);
         }
     }
+    /**
+     * Validates that desired security settings are compatible with the repo's
+     * visibility and owner type. Returns error messages for incompatible settings.
+     */
+    validateSecuritySettings(desiredSettings, currentSettings) {
+        const errors = [];
+        const isPublic = currentSettings.visibility === "public";
+        // privateVulnerabilityReporting is only available on public repos
+        if (desiredSettings.privateVulnerabilityReporting === true && !isPublic) {
+            errors.push("privateVulnerabilityReporting is only available for public repositories");
+        }
+        // secretScanning and secretScanningPushProtection:
+        // - Available on public repos (free)
+        // - Available on org private/internal repos with GHAS (security_and_analysis is populated)
+        // - NOT available on user private repos or org private/internal repos without GHAS
+        if (!isPublic) {
+            const isUserOwned = currentSettings.owner_type === "User";
+            const hasGHAS = currentSettings.security_and_analysis != null;
+            if (desiredSettings.secretScanning === true &&
+                (isUserOwned || !hasGHAS)) {
+                errors.push("secretScanning requires GitHub Advanced Security (not available for this repository)");
+            }
+            if (desiredSettings.secretScanningPushProtection === true &&
+                (isUserOwned || !hasGHAS)) {
+                errors.push("secretScanningPushProtection requires GitHub Advanced Security (not available for this repository)");
+            }
+        }
+        return errors;
+    }
     /**
      * Resolves a GitHub App installation token for the given repo.
      * Returns undefined if no token manager or token resolution fails.

package/dist/settings/repo-settings/types.d.ts CHANGED Viewed

@@ -39,6 +39,7 @@ export interface CurrentRepoSettings {
             status: string;
         };
     };
+    owner_type?: "User" | "Organization";
     vulnerability_alerts?: boolean;
     automated_security_fixes?: boolean;
     private_vulnerability_reporting?: boolean;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@aspruyt/xfg",
-  "version": "3.9.6",
+  "version": "3.9.9",
   "description": "Manage files, settings, and repositories across GitHub, Azure DevOps, and GitLab — declaratively, from a single YAML config",
   "type": "module",
   "main": "dist/index.js",