@aspruyt/xfg 6.1.0 → 6.3.0

package/dist/cli/lifecycle-report-builder.d.ts

@@ -1,2 +1,2 @@
-import type { LifecycleReport, LifecycleAction } from "../output/lifecycle-report.js";
-export declare function buildLifecycleReport(results: LifecycleAction[]): LifecycleReport;
+import type { LifecycleReport, LifecycleAction } from "../output/index.js";
+export declare function buildLifecycleReport(actions: LifecycleAction[]): LifecycleReport;

package/dist/cli/lifecycle-report-builder.js

@@ -1,15 +1,7 @@
-export function buildLifecycleReport(results) {
-    const actions = [];
+export function buildLifecycleReport(actions) {
     const totals = { created: 0, forked: 0, migrated: 0, existed: 0 };
-    for (const result of results) {
-        actions.push({
-            repoName: result.repoName,
-            action: result.action,
-            upstream: result.upstream,
-            source: result.source,
-            settings: result.settings,
-        });
-        totals[result.action]++;
+    for (const action of actions) {
+        totals[action.action]++;
     }
     return { actions, totals };
 }

package/dist/cli/program.d.ts

@@ -1,5 +1,6 @@
 import { program } from "commander";
 import { MergeMode, MergeStrategy } from "../config/index.js";
+declare function getVersion(): string;
 export declare function parseMergeMode(value: string): MergeMode;
 export declare function parseMergeStrategy(value: string): MergeStrategy;
-export { program };
+export { program, getVersion };

package/dist/cli/program.js

@@ -1,9 +1,10 @@
-import { program, Command } from "commander";
+import { program, Command, InvalidArgumentError } from "commander";
 import { dirname, join } from "node:path";
 import { readFileSync } from "node:fs";
 import { fileURLToPath } from "node:url";
 import { ValidationError } from "../shared/errors.js";
 import { runSync } from "./sync-command.js";
+import { runSecretsSync } from "./secrets-command.js";
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
 function getVersion() {
@@ -26,7 +27,12 @@ function addSharedOptions(cmd) {
         .requiredOption("-c, --config <path>", "Path to YAML config file")
         .option("-d, --dry-run", "Show what would be done without making changes")
         .option("-w, --work-dir <path>", "Temporary directory for cloning", "./tmp")
-        .option("-r, --retries <number>", "Number of retries for network operations (0 to disable)", (v) => parseInt(v, 10), 3)
+        .option("-r, --retries <number>", "Number of retries for network operations (0 to disable)", (v) => {
+        const n = parseInt(v, 10);
+        if (isNaN(n) || n < 0)
+            throw new InvalidArgumentError("Must be a non-negative number.");
+        return n;
+    }, 3)
         .option("--no-delete", "Skip deletion of orphaned resources even if deleteOrphaned is configured");
 }
 // =============================================================================
@@ -51,8 +57,7 @@ export function parseMergeStrategy(value) {
 // =============================================================================
 program
     .name("xfg")
-    .description("Manage files, settings, and repositories across GitHub, Azure DevOps, and GitLab")
-    .version(getVersion());
+    .description("Manage files, settings, and repositories across GitHub, Azure DevOps, and GitLab");
 // Sync command (file synchronization)
 const syncCommand = new Command("sync")
     .description("Sync configuration files across repositories")
@@ -62,7 +67,11 @@ const syncCommand = new Command("sync")
     .option("--delete-branch", "Delete source branch after merge")
     .action(async (opts) => {
     try {
-        await runSync(opts);
+        const options = {
+            ...opts,
+            noDelete: opts.delete === false,
+        };
+        await runSync(options);
     }
     catch (error) {
         console.error("Fatal error:", error);
@@ -71,4 +80,32 @@ const syncCommand = new Command("sync")
 });
 addSharedOptions(syncCommand);
 program.addCommand(syncCommand);
-export { program };
+const secretsCommand = new Command("secrets").description("Manage repository secrets");
+const secretsSyncCommand = new Command("sync")
+    .description("Sync secrets to target repositories")
+    .requiredOption("-c, --config <path>", "Path to xfg config file")
+    .option("-d, --dry-run", "Show what would be done without making changes")
+    .option("--no-delete", "Skip deletion of orphaned secrets")
+    .option("-w, --work-dir <path>", "Temporary directory for cloning", "./tmp")
+    .option("-r, --retries <number>", "Number of retries for network operations (0 to disable)", (value) => {
+    const n = parseInt(value, 10);
+    if (isNaN(n) || n < 0)
+        throw new InvalidArgumentError("Must be a non-negative number.");
+    return n;
+}, 3)
+    .action(async (opts) => {
+    try {
+        const options = {
+            ...opts,
+            noDelete: opts.delete === false,
+        };
+        await runSecretsSync(options);
+    }
+    catch (error) {
+        console.error("Fatal error:", error);
+        return process.exit(1);
+    }
+});
+secretsCommand.addCommand(secretsSyncCommand);
+program.addCommand(secretsCommand);
+export { program, getVersion };

package/dist/cli/repo-sync-runner.d.ts

@@ -0,0 +1,24 @@
+import type { Config, RepoConfig } from "../config/index.js";
+import type { createTokenManager } from "../vcs/index.js";
+import type { IRepositoryProcessor } from "../sync/index.js";
+import type { ProcessExecutor } from "../shared/command-executor.js";
+import type { Logger } from "../shared/logger.js";
+import { type IRepoLifecycleManager } from "../lifecycle/index.js";
+import type { SyncOptions, SyncResultEntry, SettingsProcessorFactories } from "./types.js";
+import type { ResultsCollector } from "./results-collector.js";
+import type { LifecycleAction } from "../output/index.js";
+export interface RepoIterationContext {
+    config: Config;
+    options: SyncOptions;
+    branchName: string;
+    processor: IRepositoryProcessor;
+    lifecycleManager: IRepoLifecycleManager;
+    tokenManager: ReturnType<typeof createTokenManager>;
+    reportResults: SyncResultEntry[];
+    lifecycleReportInputs: LifecycleAction[];
+    settingsCollector: ResultsCollector;
+    factories: SettingsProcessorFactories;
+    logger: Logger;
+    executor: ProcessExecutor;
+}
+export declare function runSingleRepo(repoConfig: RepoConfig, index: number, ctx: RepoIterationContext): Promise<void>;

package/dist/cli/repo-sync-runner.js

@@ -0,0 +1,156 @@
+import { resolve, join } from "node:path";
+import { parseGitUrl, getRepoDisplayName, isGitHubRepo, } from "../repo/index.js";
+import { generateWorkspaceName } from "../shared/workspace-utils.js";
+import { toErrorMessage } from "../shared/type-guards.js";
+import { resolveGitHubToken } from "../shared/gh-token-utils.js";
+import { runLifecycleCheck, } from "../lifecycle/index.js";
+import { applyRepoSettings } from "./settings-runner.js";
+import { determineMergeOutcome } from "./sync-utils.js";
+function pushFailure(results, repoName, error) {
+    results.push({
+        repoName,
+        success: false,
+        fileChanges: [],
+        error: toErrorMessage(error),
+    });
+}
+async function runLifecyclePhase(repo, ctx) {
+    const repoNumber = repo.index + 1;
+    try {
+        const { outputLines, lifecycleResult, reportSettings } = await runLifecycleCheck(repo.repoConfig, repo.repoInfo, {
+            dryRun: ctx.options.dryRun ?? false,
+            resolvedWorkDir: repo.workDir,
+            githubHosts: ctx.config.githubHosts,
+            token: repo.token,
+            repoIndex: repo.index,
+            lifecycleManager: ctx.lifecycleManager,
+            repoSettings: ctx.config.settings?.repo,
+        });
+        for (const line of outputLines) {
+            ctx.logger.info(line);
+        }
+        ctx.lifecycleReportInputs.push({
+            repoName: repo.repoName,
+            action: lifecycleResult.action,
+            upstream: repo.repoConfig.upstream,
+            source: repo.repoConfig.source,
+            settings: reportSettings,
+        });
+        if (ctx.options.dryRun && lifecycleResult.action !== "existed") {
+            ctx.reportResults.push({
+                repoName: repo.repoName,
+                success: true,
+                fileChanges: [],
+            });
+            return true;
+        }
+        return false;
+    }
+    catch (error) {
+        ctx.logger.error(repoNumber, repo.repoName, `Lifecycle error: ${toErrorMessage(error)}`);
+        pushFailure(ctx.reportResults, repo.repoName, error);
+        return true;
+    }
+}
+async function runFileSyncPhase(repo, ctx) {
+    const repoNumber = repo.index + 1;
+    try {
+        ctx.logger.progress(repoNumber, repo.repoName, "Processing...");
+        const result = await ctx.processor.process(repo.repoConfig, repo.repoInfo, {
+            branchName: ctx.branchName,
+            workDir: repo.workDir,
+            configId: ctx.config.id,
+            dryRun: ctx.options.dryRun,
+            retries: ctx.options.retries,
+            executor: ctx.executor,
+            prTemplate: ctx.config.prTemplate,
+            noDelete: ctx.options.noDelete,
+            token: repo.token,
+            hasAppCredentials: isGitHubRepo(repo.repoInfo) && ctx.tokenManager !== null,
+        });
+        const mergeOutcome = determineMergeOutcome(result);
+        ctx.reportResults.push({
+            repoName: repo.repoName,
+            success: result.success,
+            fileChanges: result.fileChanges ?? [],
+            prUrl: result.prUrl,
+            mergeOutcome,
+            error: result.success ? undefined : result.message,
+        });
+        if (result.skipped) {
+            ctx.logger.skip(repoNumber, repo.repoName, result.message);
+        }
+        else if (result.success) {
+            ctx.logger.success(repoNumber, repo.repoName, result.message);
+        }
+        else {
+            ctx.logger.error(repoNumber, repo.repoName, result.message);
+        }
+    }
+    catch (error) {
+        ctx.logger.error(repoNumber, repo.repoName, toErrorMessage(error));
+        pushFailure(ctx.reportResults, repo.repoName, error);
+    }
+}
+export async function runSingleRepo(repoConfig, index, ctx) {
+    const { config, options, logger } = ctx;
+    const repoNumber = index + 1;
+    const effectivePrOptions = options.merge || options.mergeStrategy || options.deleteBranch
+        ? {
+            ...repoConfig.prOptions,
+            merge: options.merge ?? repoConfig.prOptions?.merge,
+            mergeStrategy: options.mergeStrategy ?? repoConfig.prOptions?.mergeStrategy,
+            deleteBranch: options.deleteBranch ?? repoConfig.prOptions?.deleteBranch,
+        }
+        : repoConfig.prOptions;
+    const effectiveRepoConfig = { ...repoConfig, prOptions: effectivePrOptions };
+    const mergeMode = effectivePrOptions?.merge ?? "auto";
+    if (mergeMode === "direct" && effectivePrOptions?.mergeStrategy) {
+        logger.warn(`mergeStrategy '${effectivePrOptions.mergeStrategy}' is ignored in direct mode for ${repoConfig.git}`);
+    }
+    let repoInfo;
+    try {
+        repoInfo = parseGitUrl(repoConfig.git, {
+            githubHosts: config.githubHosts,
+        });
+    }
+    catch (error) {
+        logger.error(repoNumber, repoConfig.git, toErrorMessage(error));
+        pushFailure(ctx.reportResults, repoConfig.git, error);
+        return;
+    }
+    const repoName = getRepoDisplayName(repoInfo);
+    const workDir = resolve(join(options.workDir ?? "./tmp", generateWorkspaceName(index)));
+    const repoToken = isGitHubRepo(repoInfo)
+        ? (await resolveGitHubToken({
+            repoInfo: repoInfo,
+            tokenManager: ctx.tokenManager,
+            context: repoName,
+            log: logger,
+            envToken: process.env.GH_TOKEN,
+        })).token
+        : undefined;
+    const repo = {
+        repoConfig: effectiveRepoConfig,
+        repoInfo,
+        repoName,
+        index,
+        workDir,
+        token: repoToken,
+    };
+    const skipFileSync = await runLifecyclePhase(repo, ctx);
+    if (skipFileSync)
+        return;
+    await runFileSyncPhase(repo, ctx);
+    await applyRepoSettings({
+        repoConfig: effectiveRepoConfig,
+        repoInfo,
+        repoName,
+        repoNumber,
+        options,
+        token: repoToken,
+        settingsCollector: ctx.settingsCollector,
+        factories: ctx.factories,
+        logger,
+    });
+}

package/dist/cli/results-collector.d.ts

@@ -5,7 +5,7 @@ import type { ProcessorResults } from "./settings-report-builder.js";
  */
 export declare class ResultsCollector {
     private readonly results;
-    getOrCreate(repoName: string): ProcessorResults;
+    findOrCreate(repoName: string): ProcessorResults;
     appendError(repoName: string, error: unknown): void;
     getAll(): ProcessorResults[];
 }

package/dist/cli/results-collector.js

@@ -5,7 +5,7 @@ import { toErrorMessage } from "../shared/type-guards.js";
  */
 export class ResultsCollector {
     results = [];
-    getOrCreate(repoName) {
+    findOrCreate(repoName) {
         let result = this.results.find((r) => r.repoName === repoName);
         if (!result) {
             result = { repoName };
@@ -14,7 +14,7 @@ export class ResultsCollector {
         return result;
     }
     appendError(repoName, error) {
-        const existing = this.getOrCreate(repoName);
+        const existing = this.findOrCreate(repoName);
         const errorMsg = toErrorMessage(error);
         if (existing.error) {
             existing.error += `; ${errorMsg}`;

package/dist/cli/secrets-command.d.ts

@@ -0,0 +1,25 @@
+import type { SecretsProcessorResult } from "../secrets/processor.js";
+import type { SecretConfig, Config } from "../config/index.js";
+import type { RepoInfo } from "../repo/index.js";
+type SecretsConfig = Record<string, SecretConfig | boolean> & {
+    deleteOrphaned?: boolean;
+};
+export interface ISecretsProcessorAdapter {
+    process(secretsConfig: SecretsConfig, repoInfo: RepoInfo, options: {
+        dryRun?: boolean;
+        token?: string;
+        noDelete?: boolean;
+    }): Promise<SecretsProcessorResult>;
+}
+export interface SecretsSyncDependencies {
+    processorFactory?: (config: Config, cwd: string, retries: number) => ISecretsProcessorAdapter;
+}
+export interface SecretsSyncOptions {
+    config: string;
+    dryRun?: boolean;
+    noDelete?: boolean;
+    workDir?: string;
+    retries?: number;
+}
+export declare function runSecretsSync(options: SecretsSyncOptions, deps?: SecretsSyncDependencies): Promise<void>;
+export {};

package/dist/cli/secrets-command.js

@@ -0,0 +1,75 @@
+import { loadRawConfig } from "../config/index.js";
+import { normalizeConfig } from "../config/normalizer.js";
+import { validateRawConfig, validateSecretsConfig, validateVariableSecretOverlaps, } from "../config/validator.js";
+import { SecretsProcessor, GitHubSecretsStrategy, SodiumEncryptor, } from "../secrets/index.js";
+import { EnvResolver } from "../shared/env-resolver.js";
+import { ProcessExecutor } from "../shared/command-executor.js";
+import { parseGitUrl } from "../repo/index.js";
+import { Logger } from "../shared/logger.js";
+import { toErrorMessage } from "../shared/type-guards.js";
+function createDefaultProcessor(_config, cwd, retries) {
+    const executor = new ProcessExecutor(process.env);
+    const encryptor = new SodiumEncryptor();
+    const envResolver = new EnvResolver(process.env);
+    const strategy = new GitHubSecretsStrategy(executor, {
+        cwd,
+        retries,
+    });
+    return new SecretsProcessor(strategy, encryptor, envResolver);
+}
+export async function runSecretsSync(options, deps = {}) {
+    const logger = new Logger(!!(process.env.DEBUG || process.env.XFG_DEBUG));
+    const { config: configPath, dryRun, workDir, retries, noDelete } = options;
+    const cwd = workDir ?? "./tmp";
+    const rawConfig = loadRawConfig(configPath);
+    validateRawConfig(rawConfig);
+    validateSecretsConfig(rawConfig);
+    validateVariableSecretOverlaps(rawConfig);
+    const config = normalizeConfig(rawConfig, process.env);
+    if (!config.secrets) {
+        logger.info("No secrets configured. Nothing to do.");
+        return;
+    }
+    const { deleteOrphaned, ...secretEntries } = config.secrets;
+    const secretNames = Object.keys(secretEntries).filter((k) => typeof secretEntries[k] !== "boolean");
+    if (secretNames.length === 0 && !deleteOrphaned) {
+        logger.info("No secrets configured. Nothing to do.");
+        return;
+    }
+    const processorFactory = deps.processorFactory ?? createDefaultProcessor;
+    const processor = processorFactory(config, cwd, retries ?? 3);
+    const token = process.env.GH_TOKEN || process.env.GITHUB_TOKEN;
+    let hasErrors = false;
+    logger.setTotal(config.repos.length);
+    for (let i = 0; i < config.repos.length; i++) {
+        const repoConfig = config.repos[i];
+        const repoName = repoConfig.git;
+        try {
+            const repoInfo = parseGitUrl(repoConfig.git, {
+                githubHosts: config.githubHosts,
+            });
+            const result = await processor.process(config.secrets, repoInfo, {
+                dryRun,
+                token,
+                noDelete,
+            });
+            if (result.skipped) {
+                logger.skip(i + 1, repoName, result.message);
+            }
+            else if (result.success) {
+                logger.success(i + 1, repoName, `Secrets: ${result.message}`);
+            }
+            else {
+                logger.error(i + 1, repoName, `Secrets: ${result.message}`);
+                hasErrors = true;
+            }
+        }
+        catch (error) {
+            logger.error(i + 1, repoName, `Secrets: ${toErrorMessage(error)}`);
+            hasErrors = true;
+        }
+    }
+    if (hasErrors) {
+        throw new Error("One or more repositories failed secrets sync.");
+    }
+}

package/dist/cli/settings-factories.d.ts

@@ -0,0 +1,8 @@
+import type { ProcessExecutor } from "../shared/command-executor.js";
+import type { RulesetProcessorFactory, RepoSettingsProcessorFactory, LabelsProcessorFactory, CodeScanningProcessorFactory, VariablesProcessorFactory, SettingsProcessorFactories } from "./types.js";
+export declare function createDefaultRulesetProcessorFactory(executor: ProcessExecutor): RulesetProcessorFactory;
+export declare function createDefaultRepoSettingsProcessorFactory(executor: ProcessExecutor): RepoSettingsProcessorFactory;
+export declare function createDefaultLabelsProcessorFactory(executor: ProcessExecutor): LabelsProcessorFactory;
+export declare function createDefaultCodeScanningProcessorFactory(executor: ProcessExecutor): CodeScanningProcessorFactory;
+export declare function createDefaultVariablesProcessorFactory(executor: ProcessExecutor): VariablesProcessorFactory;
+export declare function createDefaultFactories(executor: ProcessExecutor, overrides?: Partial<SettingsProcessorFactories>): SettingsProcessorFactories;

package/dist/cli/settings-factories.js

@@ -0,0 +1,32 @@
+import { RulesetProcessor, RepoSettingsProcessor, LabelsProcessor, CodeScanningProcessor, VariablesProcessor, GitHubRulesetStrategy, GitHubRepoSettingsStrategy, GitHubLabelsStrategy, GitHubCodeScanningStrategy, GitHubVariablesStrategy, } from "../settings/index.js";
+import { GitHubRepoMetadataProvider } from "../repo/index.js";
+export function createDefaultRulesetProcessorFactory(executor) {
+    const cwd = process.cwd();
+    return () => new RulesetProcessor(new GitHubRulesetStrategy(executor, { cwd }));
+}
+export function createDefaultRepoSettingsProcessorFactory(executor) {
+    const cwd = process.cwd();
+    return () => new RepoSettingsProcessor(new GitHubRepoSettingsStrategy(executor, { cwd }), new GitHubRepoMetadataProvider(executor, { cwd }));
+}
+export function createDefaultLabelsProcessorFactory(executor) {
+    const cwd = process.cwd();
+    return () => new LabelsProcessor(new GitHubLabelsStrategy(executor, { cwd }));
+}
+export function createDefaultCodeScanningProcessorFactory(executor) {
+    const cwd = process.cwd();
+    return () => new CodeScanningProcessor(new GitHubCodeScanningStrategy(executor, { cwd }), new GitHubRepoMetadataProvider(executor, { cwd }));
+}
+export function createDefaultVariablesProcessorFactory(executor) {
+    const cwd = process.cwd();
+    return () => new VariablesProcessor(new GitHubVariablesStrategy(executor, { cwd }));
+}
+export function createDefaultFactories(executor, overrides) {
+    return {
+        rulesets: overrides?.rulesets ?? createDefaultRulesetProcessorFactory(executor),
+        labels: overrides?.labels ?? createDefaultLabelsProcessorFactory(executor),
+        repo: overrides?.repo ?? createDefaultRepoSettingsProcessorFactory(executor),
+        codeScanning: overrides?.codeScanning ??
+            createDefaultCodeScanningProcessorFactory(executor),
+        variables: overrides?.variables ?? createDefaultVariablesProcessorFactory(executor),
+    };
+}

package/dist/cli/settings-report-builder.d.ts

@@ -1,5 +1,5 @@
-import type { SettingsReport } from "../output/settings-report.js";
-import { type RepoSettingsPlanEntry, type RulesetPlanEntry, type LabelsPlanEntry, type CodeScanningPlanEntry } from "../settings/index.js";
+import type { SettingsReport } from "../output/index.js";
+import { type RepoSettingsPlanEntry, type RulesetPlanEntry, type LabelsPlanEntry, type CodeScanningPlanEntry, type VariablesPlanEntry } from "../settings/index.js";
 /**
  * Result from processing a repository's settings and rulesets.
  * Used to collect results during settings command execution.
@@ -26,6 +26,11 @@ export interface ProcessorResults {
             entries?: CodeScanningPlanEntry[];
         };
     };
+    variablesResult?: {
+        planOutput?: {
+            entries?: VariablesPlanEntry[];
+        };
+    };
     error?: string;
 }
 export declare function buildSettingsReport(results: ProcessorResults[]): SettingsReport;

package/dist/cli/settings-report-builder.js

@@ -5,6 +5,7 @@ export function buildSettingsReport(results) {
         settings: { create: 0, update: 0 },
         rulesets: { create: 0, update: 0, delete: 0 },
         labels: { create: 0, update: 0, delete: 0 },
+        variables: { create: 0, update: 0, delete: 0 },
     };
     for (const result of results) {
         const repoChanges = {
@@ -12,14 +13,12 @@ export function buildSettingsReport(results) {
             settings: [],
             rulesets: [],
             labels: [],
+            variables: [],
         };
-        // Convert settings processor output
         if (result.settingsResult?.planOutput?.entries) {
             for (const entry of result.settingsResult.planOutput.entries) {
-                // Skip settings where both values are undefined (no actual change)
-                if (entry.oldValue === undefined && entry.newValue === undefined) {
+                if (!isActiveAction(entry))
                     continue;
-                }
                 repoChanges.settings.push({
                     name: entry.property,
                     action: entry.action,
@@ -27,11 +26,24 @@ export function buildSettingsReport(results) {
                     newValue: entry.newValue,
                 });
             }
+        }
+        if (result.codeScanningResult?.planOutput?.entries) {
+            for (const entry of result.codeScanningResult.planOutput.entries) {
+                if (!isActiveAction(entry))
+                    continue;
+                repoChanges.settings.push({
+                    name: `codeScanning.${entry.property}`,
+                    action: entry.action,
+                    oldValue: entry.oldValue,
+                    newValue: entry.newValue ?? null,
+                });
+            }
+        }
+        if (repoChanges.settings.length > 0) {
             const counts = countActions(repoChanges.settings);
             totals.settings.create += counts.create;
             totals.settings.update += counts.update;
         }
-        // Convert ruleset processor output
         if (result.rulesetResult?.planOutput?.entries) {
             for (const entry of result.rulesetResult.planOutput.entries) {
                 if (!isActiveAction(entry))
@@ -48,7 +60,6 @@ export function buildSettingsReport(results) {
             totals.rulesets.update += counts.update;
             totals.rulesets.delete += counts.delete;
         }
-        // Convert labels processor output
         if (result.labelsResult?.planOutput?.entries) {
             for (const entry of result.labelsResult.planOutput.entries) {
                 if (!isActiveAction(entry))
@@ -66,24 +77,21 @@ export function buildSettingsReport(results) {
             totals.labels.update += counts.update;
             totals.labels.delete += counts.delete;
         }
-        // Convert code scanning processor output
-        if (result.codeScanningResult?.planOutput?.entries) {
-            let csCreates = 0;
-            let csUpdates = 0;
-            for (const entry of result.codeScanningResult.planOutput.entries) {
-                repoChanges.settings.push({
-                    name: `codeScanning.${entry.property}`,
+        if (result.variablesResult?.planOutput?.entries) {
+            for (const entry of result.variablesResult.planOutput.entries) {
+                if (!isActiveAction(entry))
+                    continue;
+                repoChanges.variables.push({
+                    name: entry.name,
                     action: entry.action,
                     oldValue: entry.oldValue,
-                    newValue: entry.newValue ?? null,
+                    newValue: entry.newValue,
                 });
-                if (entry.action === "create")
-                    csCreates++;
-                if (entry.action === "update")
-                    csUpdates++;
             }
-            totals.settings.create += csCreates;
-            totals.settings.update += csUpdates;
+            const counts = countActions(repoChanges.variables);
+            totals.variables.create += counts.create;
+            totals.variables.update += counts.update;
+            totals.variables.delete += counts.delete;
         }
         if (result.error) {
             repoChanges.error = result.error;

package/dist/cli/settings-runner.d.ts

@@ -0,0 +1,2 @@
+import type { ApplyRepoSettingsContext } from "./types.js";
+export declare function applyRepoSettings(ctx: ApplyRepoSettingsContext): Promise<void>;