@aspruyt/xfg 6.2.0 → 6.4.0

package/dist/cli/branch-utils.d.ts

@@ -1,6 +1,2 @@
+export { validateBranchName } from "../shared/branch-validation.js";
 export declare function sanitizeBranchName(fileName: string): string;
-/**
- * Validates a user-provided branch name against git's naming rules.
- * @throws ValidationError if the branch name is invalid
- */
-export declare function validateBranchName(branchName: string): void;

package/dist/cli/branch-utils.js

@@ -1,4 +1,4 @@
-import { ValidationError } from "../shared/errors.js";
+export { validateBranchName } from "../shared/branch-validation.js";
 export function sanitizeBranchName(fileName) {
     return fileName
         .toLowerCase()
@@ -7,24 +7,3 @@ export function sanitizeBranchName(fileName) {
         .replace(/-+/g, "-") // Collapse multiple dashes
         .replace(/^-|-$/g, ""); // Remove leading/trailing dashes
 }
-/**
- * Validates a user-provided branch name against git's naming rules.
- * @throws ValidationError if the branch name is invalid
- */
-export function validateBranchName(branchName) {
-    if (!branchName || branchName.trim() === "") {
-        throw new ValidationError("Branch name cannot be empty");
-    }
-    if (branchName.startsWith(".") || branchName.startsWith("-")) {
-        throw new ValidationError('Branch name cannot start with "." or "-"');
-    }
-    // Git disallows: space, ~, ^, :, ?, *, [, \, and consecutive dots (..)
-    if (/[\s~^:?*[\\]/.test(branchName) || branchName.includes("..")) {
-        throw new ValidationError("Branch name contains invalid characters");
-    }
-    if (branchName.endsWith("/") ||
-        branchName.endsWith(".lock") ||
-        branchName.endsWith(".")) {
-        throw new ValidationError("Branch name has invalid ending");
-    }
-}

package/dist/cli/program.js

@@ -1,9 +1,10 @@
-import { program, Command } from "commander";
+import { program, Command, InvalidArgumentError } from "commander";
 import { dirname, join } from "node:path";
 import { readFileSync } from "node:fs";
 import { fileURLToPath } from "node:url";
 import { ValidationError } from "../shared/errors.js";
 import { runSync } from "./sync-command.js";
+import { runSecretsSync } from "./secrets-command.js";
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
 function getVersion() {
@@ -26,7 +27,12 @@ function addSharedOptions(cmd) {
         .requiredOption("-c, --config <path>", "Path to YAML config file")
         .option("-d, --dry-run", "Show what would be done without making changes")
         .option("-w, --work-dir <path>", "Temporary directory for cloning", "./tmp")
-        .option("-r, --retries <number>", "Number of retries for network operations (0 to disable)", (v) => parseInt(v, 10), 3)
+        .option("-r, --retries <number>", "Number of retries for network operations (0 to disable)", (v) => {
+        const n = parseInt(v, 10);
+        if (isNaN(n) || n < 0)
+            throw new InvalidArgumentError("Must be a non-negative number.");
+        return n;
+    }, 3)
         .option("--no-delete", "Skip deletion of orphaned resources even if deleteOrphaned is configured");
 }
 // =============================================================================
@@ -61,7 +67,11 @@ const syncCommand = new Command("sync")
     .option("--delete-branch", "Delete source branch after merge")
     .action(async (opts) => {
     try {
-        await runSync(opts);
+        const options = {
+            ...opts,
+            noDelete: opts.delete === false,
+        };
+        await runSync(options);
     }
     catch (error) {
         console.error("Fatal error:", error);
@@ -70,4 +80,32 @@ const syncCommand = new Command("sync")
 });
 addSharedOptions(syncCommand);
 program.addCommand(syncCommand);
+const secretsCommand = new Command("secrets").description("Manage repository secrets");
+const secretsSyncCommand = new Command("sync")
+    .description("Sync secrets to target repositories")
+    .requiredOption("-c, --config <path>", "Path to xfg config file")
+    .option("-d, --dry-run", "Show what would be done without making changes")
+    .option("--no-delete", "Skip deletion of orphaned secrets")
+    .option("-w, --work-dir <path>", "Temporary directory for cloning", "./tmp")
+    .option("-r, --retries <number>", "Number of retries for network operations (0 to disable)", (value) => {
+    const n = parseInt(value, 10);
+    if (isNaN(n) || n < 0)
+        throw new InvalidArgumentError("Must be a non-negative number.");
+    return n;
+}, 3)
+    .action(async (opts) => {
+    try {
+        const options = {
+            ...opts,
+            noDelete: opts.delete === false,
+        };
+        await runSecretsSync(options);
+    }
+    catch (error) {
+        console.error("Fatal error:", error);
+        return process.exit(1);
+    }
+});
+secretsCommand.addCommand(secretsSyncCommand);
+program.addCommand(secretsCommand);
 export { program, getVersion };

package/dist/cli/repo-sync-runner.js

@@ -56,8 +56,9 @@ async function runFileSyncPhase(repo, ctx) {
     const repoNumber = repo.index + 1;
     try {
         ctx.logger.progress(repoNumber, repo.repoName, "Processing...");
+        const branchName = repo.repoConfig.prOptions?.branch ?? ctx.branchName;
         const result = await ctx.processor.process(repo.repoConfig, repo.repoInfo, {
-            branchName: ctx.branchName,
+            branchName,
             workDir: repo.workDir,
             configId: ctx.config.id,
             dryRun: ctx.options.dryRun,
@@ -95,12 +96,16 @@ async function runFileSyncPhase(repo, ctx) {
 export async function runSingleRepo(repoConfig, index, ctx) {
     const { config, options, logger } = ctx;
     const repoNumber = index + 1;
-    const effectivePrOptions = options.merge || options.mergeStrategy || options.deleteBranch
+    const effectivePrOptions = options.merge ||
+        options.mergeStrategy ||
+        options.deleteBranch ||
+        options.branch
         ? {
             ...repoConfig.prOptions,
             merge: options.merge ?? repoConfig.prOptions?.merge,
             mergeStrategy: options.mergeStrategy ?? repoConfig.prOptions?.mergeStrategy,
             deleteBranch: options.deleteBranch ?? repoConfig.prOptions?.deleteBranch,
+            branch: options.branch ?? repoConfig.prOptions?.branch,
         }
         : repoConfig.prOptions;
     const effectiveRepoConfig = { ...repoConfig, prOptions: effectivePrOptions };

package/dist/cli/secrets-command.d.ts

@@ -0,0 +1,25 @@
+import type { SecretsProcessorResult } from "../secrets/processor.js";
+import type { SecretConfig, Config } from "../config/index.js";
+import type { RepoInfo } from "../repo/index.js";
+type SecretsConfig = Record<string, SecretConfig | boolean> & {
+    deleteOrphaned?: boolean;
+};
+export interface ISecretsProcessorAdapter {
+    process(secretsConfig: SecretsConfig, repoInfo: RepoInfo, options: {
+        dryRun?: boolean;
+        token?: string;
+        noDelete?: boolean;
+    }): Promise<SecretsProcessorResult>;
+}
+export interface SecretsSyncDependencies {
+    processorFactory?: (config: Config, cwd: string, retries: number) => ISecretsProcessorAdapter;
+}
+export interface SecretsSyncOptions {
+    config: string;
+    dryRun?: boolean;
+    noDelete?: boolean;
+    workDir?: string;
+    retries?: number;
+}
+export declare function runSecretsSync(options: SecretsSyncOptions, deps?: SecretsSyncDependencies): Promise<void>;
+export {};

package/dist/cli/secrets-command.js

@@ -0,0 +1,75 @@
+import { loadRawConfig } from "../config/index.js";
+import { normalizeConfig } from "../config/normalizer.js";
+import { validateRawConfig, validateSecretsConfig, validateVariableSecretOverlaps, } from "../config/validator.js";
+import { SecretsProcessor, GitHubSecretsStrategy, SodiumEncryptor, } from "../secrets/index.js";
+import { EnvResolver } from "../shared/env-resolver.js";
+import { ProcessExecutor } from "../shared/command-executor.js";
+import { parseGitUrl } from "../repo/index.js";
+import { Logger } from "../shared/logger.js";
+import { toErrorMessage } from "../shared/type-guards.js";
+function createDefaultProcessor(_config, cwd, retries) {
+    const executor = new ProcessExecutor(process.env);
+    const encryptor = new SodiumEncryptor();
+    const envResolver = new EnvResolver(process.env);
+    const strategy = new GitHubSecretsStrategy(executor, {
+        cwd,
+        retries,
+    });
+    return new SecretsProcessor(strategy, encryptor, envResolver);
+}
+export async function runSecretsSync(options, deps = {}) {
+    const logger = new Logger(!!(process.env.DEBUG || process.env.XFG_DEBUG));
+    const { config: configPath, dryRun, workDir, retries, noDelete } = options;
+    const cwd = workDir ?? "./tmp";
+    const rawConfig = loadRawConfig(configPath);
+    validateRawConfig(rawConfig);
+    validateSecretsConfig(rawConfig);
+    validateVariableSecretOverlaps(rawConfig);
+    const config = normalizeConfig(rawConfig, process.env);
+    if (!config.secrets) {
+        logger.info("No secrets configured. Nothing to do.");
+        return;
+    }
+    const { deleteOrphaned, ...secretEntries } = config.secrets;
+    const secretNames = Object.keys(secretEntries).filter((k) => typeof secretEntries[k] !== "boolean");
+    if (secretNames.length === 0 && !deleteOrphaned) {
+        logger.info("No secrets configured. Nothing to do.");
+        return;
+    }
+    const processorFactory = deps.processorFactory ?? createDefaultProcessor;
+    const processor = processorFactory(config, cwd, retries ?? 3);
+    const token = process.env.GH_TOKEN || process.env.GITHUB_TOKEN;
+    let hasErrors = false;
+    logger.setTotal(config.repos.length);
+    for (let i = 0; i < config.repos.length; i++) {
+        const repoConfig = config.repos[i];
+        const repoName = repoConfig.git;
+        try {
+            const repoInfo = parseGitUrl(repoConfig.git, {
+                githubHosts: config.githubHosts,
+            });
+            const result = await processor.process(config.secrets, repoInfo, {
+                dryRun,
+                token,
+                noDelete,
+            });
+            if (result.skipped) {
+                logger.skip(i + 1, repoName, result.message);
+            }
+            else if (result.success) {
+                logger.success(i + 1, repoName, `Secrets: ${result.message}`);
+            }
+            else {
+                logger.error(i + 1, repoName, `Secrets: ${result.message}`);
+                hasErrors = true;
+            }
+        }
+        catch (error) {
+            logger.error(i + 1, repoName, `Secrets: ${toErrorMessage(error)}`);
+            hasErrors = true;
+        }
+    }
+    if (hasErrors) {
+        throw new Error("One or more repositories failed secrets sync.");
+    }
+}

package/dist/cli/settings-factories.d.ts

@@ -1,7 +1,8 @@
 import type { ProcessExecutor } from "../shared/command-executor.js";
-import type { RulesetProcessorFactory, RepoSettingsProcessorFactory, LabelsProcessorFactory, CodeScanningProcessorFactory, SettingsProcessorFactories } from "./types.js";
+import type { RulesetProcessorFactory, RepoSettingsProcessorFactory, LabelsProcessorFactory, CodeScanningProcessorFactory, VariablesProcessorFactory, SettingsProcessorFactories } from "./types.js";
 export declare function createDefaultRulesetProcessorFactory(executor: ProcessExecutor): RulesetProcessorFactory;
 export declare function createDefaultRepoSettingsProcessorFactory(executor: ProcessExecutor): RepoSettingsProcessorFactory;
 export declare function createDefaultLabelsProcessorFactory(executor: ProcessExecutor): LabelsProcessorFactory;
 export declare function createDefaultCodeScanningProcessorFactory(executor: ProcessExecutor): CodeScanningProcessorFactory;
+export declare function createDefaultVariablesProcessorFactory(executor: ProcessExecutor): VariablesProcessorFactory;
 export declare function createDefaultFactories(executor: ProcessExecutor, overrides?: Partial<SettingsProcessorFactories>): SettingsProcessorFactories;

package/dist/cli/settings-factories.js

@@ -1,4 +1,4 @@
-import { RulesetProcessor, RepoSettingsProcessor, LabelsProcessor, CodeScanningProcessor, GitHubRulesetStrategy, GitHubRepoSettingsStrategy, GitHubLabelsStrategy, GitHubCodeScanningStrategy, } from "../settings/index.js";
+import { RulesetProcessor, RepoSettingsProcessor, LabelsProcessor, CodeScanningProcessor, VariablesProcessor, GitHubRulesetStrategy, GitHubRepoSettingsStrategy, GitHubLabelsStrategy, GitHubCodeScanningStrategy, GitHubVariablesStrategy, } from "../settings/index.js";
 import { GitHubRepoMetadataProvider } from "../repo/index.js";
 export function createDefaultRulesetProcessorFactory(executor) {
     const cwd = process.cwd();
@@ -16,6 +16,10 @@ export function createDefaultCodeScanningProcessorFactory(executor) {
     const cwd = process.cwd();
     return () => new CodeScanningProcessor(new GitHubCodeScanningStrategy(executor, { cwd }), new GitHubRepoMetadataProvider(executor, { cwd }));
 }
+export function createDefaultVariablesProcessorFactory(executor) {
+    const cwd = process.cwd();
+    return () => new VariablesProcessor(new GitHubVariablesStrategy(executor, { cwd }));
+}
 export function createDefaultFactories(executor, overrides) {
     return {
         rulesets: overrides?.rulesets ?? createDefaultRulesetProcessorFactory(executor),
@@ -23,5 +27,6 @@ export function createDefaultFactories(executor, overrides) {
         repo: overrides?.repo ?? createDefaultRepoSettingsProcessorFactory(executor),
         codeScanning: overrides?.codeScanning ??
             createDefaultCodeScanningProcessorFactory(executor),
+        variables: overrides?.variables ?? createDefaultVariablesProcessorFactory(executor),
     };
 }

package/dist/cli/settings-report-builder.d.ts

@@ -1,5 +1,5 @@
 import type { SettingsReport } from "../output/index.js";
-import { type RepoSettingsPlanEntry, type RulesetPlanEntry, type LabelsPlanEntry, type CodeScanningPlanEntry } from "../settings/index.js";
+import { type RepoSettingsPlanEntry, type RulesetPlanEntry, type LabelsPlanEntry, type CodeScanningPlanEntry, type VariablesPlanEntry } from "../settings/index.js";
 /**
  * Result from processing a repository's settings and rulesets.
  * Used to collect results during settings command execution.
@@ -26,6 +26,11 @@ export interface ProcessorResults {
             entries?: CodeScanningPlanEntry[];
         };
     };
+    variablesResult?: {
+        planOutput?: {
+            entries?: VariablesPlanEntry[];
+        };
+    };
     error?: string;
 }
 export declare function buildSettingsReport(results: ProcessorResults[]): SettingsReport;

package/dist/cli/settings-report-builder.js

@@ -5,6 +5,7 @@ export function buildSettingsReport(results) {
         settings: { create: 0, update: 0 },
         rulesets: { create: 0, update: 0, delete: 0 },
         labels: { create: 0, update: 0, delete: 0 },
+        variables: { create: 0, update: 0, delete: 0 },
     };
     for (const result of results) {
         const repoChanges = {
@@ -12,12 +13,12 @@ export function buildSettingsReport(results) {
             settings: [],
             rulesets: [],
             labels: [],
+            variables: [],
         };
         if (result.settingsResult?.planOutput?.entries) {
             for (const entry of result.settingsResult.planOutput.entries) {
-                if (entry.oldValue === undefined && entry.newValue === undefined) {
+                if (!isActiveAction(entry))
                     continue;
-                }
                 repoChanges.settings.push({
                     name: entry.property,
                     action: entry.action,
@@ -28,6 +29,8 @@ export function buildSettingsReport(results) {
         }
         if (result.codeScanningResult?.planOutput?.entries) {
             for (const entry of result.codeScanningResult.planOutput.entries) {
+                if (!isActiveAction(entry))
+                    continue;
                 repoChanges.settings.push({
                     name: `codeScanning.${entry.property}`,
                     action: entry.action,
@@ -74,6 +77,22 @@ export function buildSettingsReport(results) {
             totals.labels.update += counts.update;
             totals.labels.delete += counts.delete;
         }
+        if (result.variablesResult?.planOutput?.entries) {
+            for (const entry of result.variablesResult.planOutput.entries) {
+                if (!isActiveAction(entry))
+                    continue;
+                repoChanges.variables.push({
+                    name: entry.name,
+                    action: entry.action,
+                    oldValue: entry.oldValue,
+                    newValue: entry.newValue,
+                });
+            }
+            const counts = countActions(repoChanges.variables);
+            totals.variables.create += counts.create;
+            totals.variables.update += counts.update;
+            totals.variables.delete += counts.delete;
+        }
         if (result.error) {
             repoChanges.error = result.error;
         }

package/dist/cli/settings-runner.js

@@ -65,6 +65,13 @@ function buildSettingsDescriptors(ctx) {
                 e.codeScanningResult = r;
             }),
         },
+        {
+            key: "variables",
+            label: "Variables",
+            run: () => runAndStoreResult(factories.variables, repoConfig, repoInfo, sharedOpts, repoName, settingsCollector, (e, r) => {
+                e.variablesResult = r;
+            }),
+        },
     ];
 }
 export async function applyRepoSettings(ctx) {

package/dist/cli/types.d.ts

@@ -1,7 +1,7 @@
 import type { MergeMode, MergeStrategy, RepoConfig } from "../config/index.js";
 import type { IRepoLifecycleManager } from "../lifecycle/index.js";
 import type { IRepositoryProcessor, FileChangeDetail } from "../sync/index.js";
-import type { ISettingsProcessor, IRulesetProcessor, IRepoSettingsProcessor, ILabelsProcessor, ICodeScanningProcessor, BaseProcessorResult } from "../settings/index.js";
+import type { ISettingsProcessor, IRulesetProcessor, IRepoSettingsProcessor, ILabelsProcessor, ICodeScanningProcessor, IVariablesProcessor, BaseProcessorResult } from "../settings/index.js";
 import type { RepoInfo } from "../repo/index.js";
 import type { ResultsCollector } from "./results-collector.js";
 import type { Logger } from "../shared/logger.js";
@@ -11,12 +11,14 @@ export type RulesetProcessorFactory = SettingsProcessorFactory<IRulesetProcessor
 export type RepoSettingsProcessorFactory = SettingsProcessorFactory<IRepoSettingsProcessor>;
 export type LabelsProcessorFactory = SettingsProcessorFactory<ILabelsProcessor>;
 export type CodeScanningProcessorFactory = SettingsProcessorFactory<ICodeScanningProcessor>;
-export type SettingsKind = "rulesets" | "labels" | "repo" | "codeScanning";
+export type VariablesProcessorFactory = SettingsProcessorFactory<IVariablesProcessor>;
+export type SettingsKind = "rulesets" | "labels" | "repo" | "codeScanning" | "variables";
 export interface SettingsProcessorFactories {
     rulesets: RulesetProcessorFactory;
     labels: LabelsProcessorFactory;
     repo: RepoSettingsProcessorFactory;
     codeScanning: CodeScanningProcessorFactory;
+    variables: VariablesProcessorFactory;
 }
 /**
  * Dependencies for the sync command (dependency injection).

package/dist/config/index.d.ts

@@ -1,5 +1,5 @@
-export type { PRMergeOptions, MergeMode, MergeStrategy, BypassActor, StatusCheckConfig, CodeScanningTool, PullRequestRuleParameters, RulesetRule, Ruleset, GitHubRepoSettings, RepoVisibility, SquashMergeCommitTitle, SquashMergeCommitMessage, MergeCommitTitle, MergeCommitMessage, Label, CodeScanningSettings, CodeScanningState, CodeScanningQuerySuite, CodeScanningLanguage, RepoSettings, RawFileConfig, RawRepoFileOverride, RawGroupConfig, RawRepoSettings, RawRepoConfig, RawConfig, RawConditionalGroupWhen, RawConditionalGroupConfig, RepoConfig, Config, FileContent, ContentValue, } from "./types.js";
+export type { PRMergeOptions, MergeMode, MergeStrategy, BypassActor, StatusCheckConfig, CodeScanningTool, PullRequestRuleParameters, RulesetRule, Ruleset, GitHubRepoSettings, RepoVisibility, SquashMergeCommitTitle, SquashMergeCommitMessage, MergeCommitTitle, MergeCommitMessage, Label, CodeScanningSettings, CodeScanningState, CodeScanningQuerySuite, CodeScanningLanguage, RepoSettings, RawFileConfig, RawRepoFileOverride, RawGroupConfig, SecretConfig, RawRootSettings, RawRepoSettings, RawRepoConfig, RawConfig, RawConditionalGroupWhen, RawConditionalGroupConfig, RepoConfig, Config, FileContent, ContentValue, } from "./types.js";
 export { RULESET_COMPARABLE_FIELDS } from "./types.js";
 export { loadRawConfig, loadConfig, normalizeConfig } from "./loader.js";
 export { convertContentToString } from "./formatter.js";
-export { validateForSync } from "./validator.js";
+export { validateForSync, validateSecretsConfig } from "./validator.js";

package/dist/config/index.js

@@ -5,4 +5,4 @@ export { loadRawConfig, loadConfig, normalizeConfig } from "./loader.js";
 // Config formatting
 export { convertContentToString } from "./formatter.js";
 // Config validation
-export { validateForSync } from "./validator.js";
+export { validateForSync, validateSecretsConfig } from "./validator.js";

package/dist/config/loader.js

@@ -1,5 +1,5 @@
 import { readFileSync, statSync, readdirSync } from "node:fs";
-import { dirname, join, extname } from "node:path";
+import { dirname, join, extname, relative } from "node:path";
 import { parse } from "yaml";
 import { validateRawConfig } from "./validator.js";
 import { normalizeConfig as normalizeConfigInternal } from "./normalizer.js";
@@ -51,49 +51,78 @@ function loadRawConfigFromFile(filePath) {
     validateRawConfig(rawConfig);
     return rawConfig;
 }
-function loadRawConfigFromDirectory(dirPath) {
+const MAX_CONFIG_DEPTH = 10;
+function collectYamlFiles(rootDir, currentDir, depth) {
+    if (depth > MAX_CONFIG_DEPTH) {
+        /* c8 ignore next -- rootDir === currentDir impossible at depth > MAX_CONFIG_DEPTH */
+        const rel = relative(rootDir, currentDir) || ".";
+        throw new ValidationError(`Config directory nesting exceeds maximum depth of ${MAX_CONFIG_DEPTH} at ${rel}`);
+    }
     let entries;
     try {
-        entries = readdirSync(dirPath, { withFileTypes: true });
+        entries = readdirSync(currentDir, { withFileTypes: true });
     }
     catch (error) {
-        throw new ValidationError(`Failed to read config directory ${dirPath}: ${toErrorMessage(error)}`, { cause: error });
+        const displayPath = relative(rootDir, currentDir) || currentDir;
+        throw new ValidationError(`Failed to read config directory ${displayPath}: ${toErrorMessage(error)}`, { cause: error });
     }
-    const yamlFiles = entries
-        .filter((entry) => entry.isFile() &&
-        [".yaml", ".yml"].includes(extname(entry.name).toLowerCase()))
-        .map((entry) => entry.name)
-        .sort();
+    const files = [];
+    const subdirs = [];
+    for (const entry of entries) {
+        if (entry.name.startsWith(".")) {
+            continue;
+        }
+        const ext = extname(entry.name).toLowerCase();
+        const isYaml = ext === ".yaml" || ext === ".yml";
+        if ((entry.isFile() || entry.isSymbolicLink()) && isYaml) {
+            files.push({
+                relativePath: relative(rootDir, join(currentDir, entry.name)),
+                absolutePath: join(currentDir, entry.name),
+            });
+        }
+        else if (entry.isDirectory()) {
+            subdirs.push(entry.name);
+        }
+    }
+    files.sort((a, b) => a.relativePath.localeCompare(b.relativePath));
+    subdirs.sort((a, b) => a.localeCompare(b));
+    const result = [...files];
+    for (const subdir of subdirs) {
+        result.push(...collectYamlFiles(rootDir, join(currentDir, subdir), depth + 1));
+    }
+    return result;
+}
+function loadRawConfigFromDirectory(dirPath) {
+    const yamlFiles = collectYamlFiles(dirPath, dirPath, 0);
     if (yamlFiles.length === 0) {
         throw new ValidationError(`No .yaml or .yml files found in directory: ${dirPath}`);
     }
-    const fragments = yamlFiles.map((fileName) => {
-        const filePath = join(dirPath, fileName);
+    const fragments = yamlFiles.map(({ relativePath, absolutePath }) => {
         let content;
         try {
-            content = readFileSync(filePath, "utf-8");
+            content = readFileSync(absolutePath, "utf-8");
         }
         catch (error) {
-            throw new ValidationError(`Failed to read config file ${filePath}: ${toErrorMessage(error)}`, { cause: error });
+            throw new ValidationError(`Failed to read config file ${relativePath}: ${toErrorMessage(error)}`, { cause: error });
         }
-        const configDir = dirname(filePath);
+        const configDir = dirname(absolutePath);
         let config;
         try {
             config = parse(content);
         }
         catch (error) {
             const message = toErrorMessage(error);
-            throw new ValidationError(`Failed to parse YAML config at ${filePath}: ${message}`, { cause: error });
+            throw new ValidationError(`Failed to parse YAML config at ${relativePath}: ${message}`, { cause: error });
         }
         if (!config || typeof config !== "object") {
-            throw new ValidationError(`Config file ${fileName} is empty or invalid — expected a YAML mapping`);
+            throw new ValidationError(`Config file ${relativePath} is empty or invalid — expected a YAML mapping`);
         }
         // Safe cast: resolveFileReferencesInConfig only accesses optional fields
         // (files, groups, etc.), so fragments missing id/repos work correctly.
         config = resolveFileReferencesInConfig(config, {
             configDir,
         });
-        return { fileName, config };
+        return { fileName: relativePath, config };
     });
     const merged = mergeConfigFragments(fragments);
     validateRawConfig(merged);

package/dist/config/normalizer.js

@@ -127,6 +127,23 @@ function mergeLabels(rootLabels, repoLabels) {
     }
     return Object.keys(result).length > 0 ? result : undefined;
 }
+// GitHub treats variable names case-insensitively; overlay keys win over base keys with same name but different casing.
+function mergeVariablesCaseInsensitive(base, overlay) {
+    const overlayUpper = new Map();
+    for (const key of Object.keys(overlay)) {
+        overlayUpper.set(key.toUpperCase(), key);
+    }
+    const result = {};
+    for (const [key, value] of Object.entries(base)) {
+        if (!overlayUpper.has(key.toUpperCase())) {
+            result[key] = value;
+        }
+    }
+    for (const [key, value] of Object.entries(overlay)) {
+        result[key] = value;
+    }
+    return result;
+}
 /**
  * Merges settings: per-repo settings deep merge with root settings.
  * Returns undefined if no settings are defined.
@@ -165,7 +182,9 @@ export function mergeSettings(root, perRepo) {
         }
     }
     // deleteOrphaned: per-repo overrides root
-    const deleteOrphaned = perRepo?.deleteOrphaned ?? root?.deleteOrphaned;
+    const deleteOrphaned = perRepo?.deleteOrphaned !== undefined
+        ? perRepo.deleteOrphaned
+        : root?.deleteOrphaned;
     if (deleteOrphaned !== undefined) {
         result.deleteOrphaned = deleteOrphaned;
     }
@@ -209,6 +228,37 @@ export function mergeSettings(root, perRepo) {
             }
         }
     }
+    // Variables merging — deleteOrphaned is a peer key (like secrets' deleteOrphaned)
+    if (root?.variables || perRepo?.variables) {
+        const rootVars = root?.variables ?? {};
+        const repoVars = perRepo?.variables ?? {};
+        const rootDeleteOrphaned = rootVars
+            .deleteOrphaned;
+        const repoDeleteOrphaned = repoVars
+            .deleteOrphaned;
+        const effectiveDeleteOrphaned = repoDeleteOrphaned !== undefined
+            ? repoDeleteOrphaned
+            : rootDeleteOrphaned;
+        const inherit = repoVars.inherit;
+        if (inherit === false) {
+            const { inherit: _, deleteOrphaned: _d, ...rest } = repoVars;
+            result.variables = Object.fromEntries(Object.entries(rest).filter(([, v]) => v !== false));
+        }
+        else {
+            const combined = mergeVariablesCaseInsensitive(rootVars, repoVars);
+            const { inherit: _, deleteOrphaned: _d, ...rest } = combined;
+            result.variables = Object.fromEntries(Object.entries(rest).filter(([, v]) => v !== false));
+        }
+        if (effectiveDeleteOrphaned !== undefined) {
+            result.variables.deleteOrphaned =
+                effectiveDeleteOrphaned;
+        }
+        // Only delete if no variable entries remain (deleteOrphaned alone is not actionable)
+        const { deleteOrphaned: _check, ...varEntries } = result.variables;
+        if (Object.keys(varEntries).length === 0 && !effectiveDeleteOrphaned) {
+            delete result.variables;
+        }
+    }
     return Object.keys(result).length > 0 ? result : undefined;
 }
 /**
@@ -348,6 +398,40 @@ function mergeRawSettings(base, overlay) {
             result.codeScanning = structuredClone(overlay.codeScanning);
         }
     }
+    // Variables: simple string values with false opt-outs (mergeNamedEntries won't work for strings)
+    if (overlay.variables) {
+        const overlayVars = overlay.variables;
+        const inherit = overlayVars.inherit !== false;
+        const baseVars = inherit
+            ? { ...(result.variables ?? {}) }
+            : {};
+        // Build overlay entries (excluding meta keys)
+        const overlayEntries = {};
+        for (const [name, entry] of Object.entries(overlay.variables)) {
+            if (name === "inherit" || name === "deleteOrphaned")
+                continue;
+            overlayEntries[name] = entry;
+        }
+        // Case-insensitive merge: overlay keys replace base keys with same name
+        const merged = mergeVariablesCaseInsensitive(baseVars, overlayEntries);
+        // Apply false opt-outs
+        const cleaned = {};
+        for (const [name, value] of Object.entries(merged)) {
+            if (name === "inherit" || name === "deleteOrphaned")
+                continue;
+            if (value !== false) {
+                cleaned[name] = value;
+            }
+        }
+        const baseDelete = baseVars.deleteOrphaned;
+        const effectiveDelete = overlayVars.deleteOrphaned !== undefined
+            ? overlayVars.deleteOrphaned
+            : baseDelete;
+        if (effectiveDelete !== undefined) {
+            cleaned.deleteOrphaned = effectiveDelete;
+        }
+        result.variables = cleaned;
+    }
     // deleteOrphaned: overlay wins
     if (overlay.deleteOrphaned !== undefined) {
         result.deleteOrphaned = overlay.deleteOrphaned;
@@ -537,5 +621,6 @@ export function normalizeConfig(raw, env) {
         githubHosts: raw.githubHosts,
         deleteOrphaned: raw.deleteOrphaned,
         settings: normalizedRootSettings,
+        secrets: raw.secrets,
     };
 }