@lilpacy/setup-github-rules 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,160 @@
+# @lilpacy/setup-github-rules
+
+`npx` で実行できる、GitHub repository ruleset の one-shot setup CLI です。
+
+Terraform は使いません。`terraform.tfstate` も生成しません。内部では GitHub CLI の `gh api` を使って、対象 repository に対して直接 GitHub API を実行します。
+
+## できること
+
+- 現在の git remote から `OWNER/REPO` を自動検出
+- 対話的に default branch を選択
+  - `main`
+  - `develop`
+  - 任意の branch
+- branch が存在しなければ、現在の GitHub default branch から作成
+- repository の `default_branch` を選択した branch に変更
+- 選択した branch に対して PR 必須 ruleset を作成または更新
+- branch deletion を禁止
+- non-fast-forward / force push 系を禁止
+- 既存の同名 ruleset がある場合は更新するので、再実行しやすい
+
+## 前提
+
+- Node.js 18+
+- git
+- GitHub CLI `gh`
+- `gh auth login` 済み
+- 対象 repository に対する admin 権限
+
+確認:
+
+```bash
+gh auth status
+```
+
+## 使い方
+
+### 対話式で実行
+
+対象 repository の中で実行します。
+
+```bash
+npx @lilpacy/setup-github-rules
+```
+
+実行すると、default branch を選べます。
+
+```txt
+Choose the repository default branch:
+  1) main
+  2) develop
+  3) other
+Select [1/2/3]:
+```
+
+### repository を明示する
+
+```bash
+npx @lilpacy/setup-github-rules --repo lilpacy/repo-a
+```
+
+### branch を非対話で指定する
+
+```bash
+npx @lilpacy/setup-github-rules --repo lilpacy/repo-a --branch develop --yes
+```
+
+### required approvals を指定する
+
+```bash
+npx @lilpacy/setup-github-rules \
+  --repo lilpacy/repo-a \
+  --branch develop \
+  --required-approvals 1 \
+  --yes
+```
+
+### dry-run
+
+```bash
+npx @lilpacy/setup-github-rules --repo lilpacy/repo-a --dry-run
+```
+
+## オプション
+
+| Option | Description | Default |
+|---|---|---|
+| `--repo OWNER/REPO` | 対象 repository | current git remote から検出 |
+| `--branch BRANCH` | default branch / protected branch | 対話式で選択 |
+| `--required-approvals N` | 必須 approval 数 | `1` |
+| `--ruleset-name NAME` | ruleset 名 | `Require PR to <branch>` |
+| `--yes`, `-y` | 最終確認をスキップ | `false` |
+| `--dry-run` | 変更せず plan だけ表示 | `false` |
+| `--help`, `-h` | help 表示 | - |
+
+## 実行例
+
+```txt
+Plan:
+  Repository:           lilpacy/repo-a
+  Current default:      main
+  New default:          develop
+  Protected branch:     develop
+  Required approvals:   1
+  Ruleset name:         Require PR to develop
+
+Apply these changes? [y/N]: y
+Creating branch 'develop' from 'main'...
+Setting default branch to 'develop'...
+Creating ruleset 'Require PR to develop'...
+
+Done.
+Default branch 'develop' now requires Pull Requests before changes can be merged.
+```
+
+## ローカル確認
+
+publish 前にローカルで試す場合:
+
+```bash
+cd setup-github-rules-cli
+npm link
+setup-github-rules --help
+```
+
+または package directory を直接指定して実行できます。
+
+```bash
+npx /path/to/setup-github-rules-cli --help
+```
+
+## npm に公開する
+
+この repository は scoped package `@lilpacy/setup-github-rules` として公開する前提です。
+`package.json` には `publishConfig.access=public` を入れているので、初回 publish でも `--access public` を毎回付ける必要はありません。
+
+```bash
+npm login
+npm run prepublishOnly
+npm publish
+```
+
+公開確認:
+
+```bash
+npm view @lilpacy/setup-github-rules version
+npx @lilpacy/setup-github-rules --help
+```
+
+## 注意点
+
+この CLI は Terraform ではありません。state や desired state 管理はありません。
+
+その代わり、以下の用途に向いています。
+
+- 新規 repository 作成直後に ruleset をすぐ反映したい
+- `gh` 認証をそのまま使いたい
+- repository 内に IaC ファイルや state を残したくない
+- 小〜中規模で、ワンコマンド setup を優先したい
+
+厳密な drift detection、PR review 付きの設定変更、org 全体の一元管理が必要な場合は Terraform / OpenTofu 方式のほうが向いています。

package/bin/setup-github-rules.js

@@ -0,0 +1,324 @@
+#!/usr/bin/env node
+
+import { spawnSync } from "node:child_process";
+import { mkdtempSync, writeFileSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import path from "node:path";
+import readline from "node:readline/promises";
+import { stdin as input, stdout as output } from "node:process";
+
+const API_VERSION = "2022-11-28";
+const DEFAULT_RULESET_NAME_PREFIX = "Require PR to";
+
+function parseArgs(argv) {
+  const args = {
+    repo: null,
+    branch: null,
+    approvals: null,
+    yes: false,
+    dryRun: false,
+    help: false,
+    rulesetName: null
+  };
+
+  for (let i = 0; i < argv.length; i += 1) {
+    const arg = argv[i];
+    if (arg === "--repo") args.repo = argv[++i];
+    else if (arg === "--branch") args.branch = argv[++i];
+    else if (arg === "--required-approvals") args.approvals = Number(argv[++i]);
+    else if (arg === "--ruleset-name") args.rulesetName = argv[++i];
+    else if (arg === "--yes" || arg === "-y") args.yes = true;
+    else if (arg === "--dry-run") args.dryRun = true;
+    else if (arg === "--help" || arg === "-h") args.help = true;
+    else throw new Error(`Unknown option: ${arg}`);
+  }
+
+  if (args.approvals !== null && (!Number.isInteger(args.approvals) || args.approvals < 0 || args.approvals > 6)) {
+    throw new Error("--required-approvals must be an integer between 0 and 6.");
+  }
+
+  return args;
+}
+
+function printHelp() {
+  console.log(`setup-github-rules
+
+One-shot GitHub repository setup using the GitHub CLI.
+
+Usage:
+  npx @lilpacy/setup-github-rules
+  npx @lilpacy/setup-github-rules --repo OWNER/REPO
+  npx @lilpacy/setup-github-rules --repo OWNER/REPO --branch develop --yes
+
+Options:
+  --repo OWNER/REPO              Target repository. Defaults to current git remote.
+  --branch BRANCH                Default branch to set and protect. Skips branch prompt.
+  --required-approvals N         Required approving reviews. Default: 1.
+  --ruleset-name NAME            Ruleset name. Default: "Require PR to <branch>".
+  --yes, -y                      Skip final confirmation.
+  --dry-run                      Print planned operations without changing GitHub.
+  --help, -h                     Show this help.
+
+What it does:
+  1. Detects or accepts OWNER/REPO.
+  2. Lets you choose main, develop, or another default branch.
+  3. Creates the branch from the current GitHub default branch if missing.
+  4. Updates the repository default_branch.
+  5. Creates or updates a branch ruleset that requires Pull Requests.
+`);
+}
+
+function run(command, args, options = {}) {
+  const result = spawnSync(command, args, {
+    encoding: "utf8",
+    stdio: options.stdio ?? ["ignore", "pipe", "pipe"],
+    input: options.input,
+    cwd: options.cwd ?? process.cwd()
+  });
+
+  if (result.error) {
+    throw new Error(`Failed to run ${command}: ${result.error.message}`);
+  }
+
+  if (result.status !== 0) {
+    const stderr = result.stderr?.trim();
+    const stdout = result.stdout?.trim();
+    throw new Error([`Command failed: ${command} ${args.join(" ")}`, stderr, stdout].filter(Boolean).join("\n"));
+  }
+
+  return result.stdout?.trim() ?? "";
+}
+
+function commandExists(command) {
+  const result = spawnSync(command, ["--version"], { encoding: "utf8", stdio: "ignore" });
+  return !result.error && result.status === 0;
+}
+
+function detectRepoFromGitRemote() {
+  const remoteUrl = run("git", ["remote", "get-url", "origin"]);
+
+  const sshMatch = remoteUrl.match(/^git@github\.com:([^/]+)\/([^/]+?)(?:\.git)?$/);
+  if (sshMatch) return `${sshMatch[1]}/${sshMatch[2]}`;
+
+  const httpsMatch = remoteUrl.match(/^https:\/\/github\.com\/([^/]+)\/([^/]+?)(?:\.git)?$/);
+  if (httpsMatch) return `${httpsMatch[1]}/${httpsMatch[2]}`;
+
+  throw new Error(`Could not detect OWNER/REPO from origin remote: ${remoteUrl}`);
+}
+
+function splitRepo(repo) {
+  const match = repo?.match(/^([^/\s]+)\/([^/\s]+)$/);
+  if (!match) throw new Error("Repository must be in OWNER/REPO format.");
+  return { owner: match[1], repo: match[2] };
+}
+
+function ghApi(endpoint, { method = "GET", body = null, silent404 = false } = {}) {
+  const args = [
+    "api",
+    `--method=${method}`,
+    "-H",
+    "Accept: application/vnd.github+json",
+    "-H",
+    `X-GitHub-Api-Version: ${API_VERSION}`,
+    endpoint
+  ];
+
+  let tempDir = null;
+  try {
+    if (body !== null) {
+      tempDir = mkdtempSync(path.join(tmpdir(), "setup-github-rules-"));
+      const bodyPath = path.join(tempDir, "body.json");
+      writeFileSync(bodyPath, JSON.stringify(body, null, 2));
+      args.push("--input", bodyPath);
+    }
+
+    const result = spawnSync("gh", args, { encoding: "utf8", stdio: ["ignore", "pipe", "pipe"] });
+    if (result.status === 0) {
+      const stdout = result.stdout.trim();
+      return stdout ? JSON.parse(stdout) : null;
+    }
+
+    if (silent404 && result.stderr.includes("HTTP 404")) return null;
+
+    throw new Error([`gh api failed: gh ${args.join(" ")}`, result.stderr.trim(), result.stdout.trim()].filter(Boolean).join("\n"));
+  } finally {
+    if (tempDir) rmSync(tempDir, { recursive: true, force: true });
+  }
+}
+
+async function selectBranch(rl, preselectedBranch) {
+  if (preselectedBranch) return preselectedBranch;
+
+  console.log("\nChoose the repository default branch:");
+  console.log("  1) main");
+  console.log("  2) develop");
+  console.log("  3) other");
+
+  while (true) {
+    const answer = (await rl.question("Select [1/2/3]: ")).trim();
+    if (answer === "1" || answer.toLowerCase() === "main") return "main";
+    if (answer === "2" || answer.toLowerCase() === "develop") return "develop";
+    if (answer === "3" || answer.toLowerCase() === "other") {
+      const branch = (await rl.question("Branch name: ")).trim();
+      if (isValidBranchName(branch)) return branch;
+      console.log("Please enter a valid branch name.");
+      continue;
+    }
+    console.log("Please choose 1, 2, or 3.");
+  }
+}
+
+function isValidBranchName(branch) {
+  return Boolean(branch) &&
+    !branch.startsWith("/") &&
+    !branch.endsWith("/") &&
+    !branch.includes("..") &&
+    !branch.includes(" ") &&
+    !branch.includes("~") &&
+    !branch.includes("^") &&
+    !branch.includes(":") &&
+    !branch.includes("?") &&
+    !branch.includes("*") &&
+    !branch.includes("[") &&
+    !branch.includes("\\") &&
+    !branch.endsWith(".lock");
+}
+
+function makeRulesetPayload({ branch, rulesetName, approvals }) {
+  return {
+    name: rulesetName,
+    target: "branch",
+    enforcement: "active",
+    conditions: {
+      ref_name: {
+        include: [`refs/heads/${branch}`],
+        exclude: []
+      }
+    },
+    rules: [
+      {
+        type: "pull_request",
+        parameters: {
+          required_approving_review_count: approvals,
+          dismiss_stale_reviews_on_push: true,
+          require_code_owner_review: false,
+          require_last_push_approval: false,
+          required_review_thread_resolution: false
+        }
+      },
+      { type: "deletion" },
+      { type: "non_fast_forward" }
+    ],
+    bypass_actors: []
+  };
+}
+
+function branchExists(owner, repo, branch) {
+  return ghApi(`/repos/${owner}/${repo}/branches/${encodeURIComponent(branch)}`, { silent404: true }) !== null;
+}
+
+function createBranchFrom(owner, repo, newBranch, sourceBranch) {
+  const sourceRef = ghApi(`/repos/${owner}/${repo}/git/ref/heads/${encodeURIComponent(sourceBranch)}`);
+  ghApi(`/repos/${owner}/${repo}/git/refs`, {
+    method: "POST",
+    body: {
+      ref: `refs/heads/${newBranch}`,
+      sha: sourceRef.object.sha
+    }
+  });
+}
+
+function findExistingRuleset(owner, repo, rulesetName) {
+  const rulesets = ghApi(`/repos/${owner}/${repo}/rulesets`);
+  return Array.isArray(rulesets) ? rulesets.find((ruleset) => ruleset.name === rulesetName) : null;
+}
+
+async function main() {
+  const args = parseArgs(process.argv.slice(2));
+  if (args.help) {
+    printHelp();
+    return;
+  }
+
+  if (!commandExists("git")) throw new Error("git is required.");
+  if (!commandExists("gh")) throw new Error("GitHub CLI is required. Install gh and run `gh auth login` first.");
+
+  run("gh", ["auth", "status"], { stdio: ["ignore", "ignore", "pipe"] });
+
+  const repoFullName = args.repo ?? detectRepoFromGitRemote();
+  const { owner, repo } = splitRepo(repoFullName);
+
+  const rl = readline.createInterface({ input, output });
+  try {
+    const repoInfo = ghApi(`/repos/${owner}/${repo}`);
+    const currentDefaultBranch = repoInfo.default_branch;
+    const selectedBranch = await selectBranch(rl, args.branch);
+    const approvals = args.approvals ?? 1;
+    const rulesetName = args.rulesetName ?? `${DEFAULT_RULESET_NAME_PREFIX} ${selectedBranch}`;
+
+    console.log("\nPlan:");
+    console.log(`  Repository:           ${owner}/${repo}`);
+    console.log(`  Current default:      ${currentDefaultBranch}`);
+    console.log(`  New default:          ${selectedBranch}`);
+    console.log(`  Protected branch:     ${selectedBranch}`);
+    console.log(`  Required approvals:   ${approvals}`);
+    console.log(`  Ruleset name:         ${rulesetName}`);
+
+    if (args.dryRun) {
+      console.log("\nDry run only. No changes were made.");
+      return;
+    }
+
+    if (!args.yes) {
+      const confirm = (await rl.question("\nApply these changes? [y/N]: ")).trim().toLowerCase();
+      if (confirm !== "y" && confirm !== "yes") {
+        console.log("Cancelled. No changes were made.");
+        return;
+      }
+    }
+
+    if (!branchExists(owner, repo, selectedBranch)) {
+      console.log(`Creating branch '${selectedBranch}' from '${currentDefaultBranch}'...`);
+      createBranchFrom(owner, repo, selectedBranch, currentDefaultBranch);
+    } else {
+      console.log(`Branch '${selectedBranch}' already exists.`);
+    }
+
+    if (currentDefaultBranch !== selectedBranch) {
+      console.log(`Setting default branch to '${selectedBranch}'...`);
+      ghApi(`/repos/${owner}/${repo}`, {
+        method: "PATCH",
+        body: { default_branch: selectedBranch }
+      });
+    } else {
+      console.log(`Default branch is already '${selectedBranch}'.`);
+    }
+
+    const payload = makeRulesetPayload({ branch: selectedBranch, rulesetName, approvals });
+    const existing = findExistingRuleset(owner, repo, rulesetName);
+
+    if (existing) {
+      console.log(`Updating existing ruleset '${rulesetName}'...`);
+      ghApi(`/repos/${owner}/${repo}/rulesets/${existing.id}`, {
+        method: "PUT",
+        body: payload
+      });
+    } else {
+      console.log(`Creating ruleset '${rulesetName}'...`);
+      ghApi(`/repos/${owner}/${repo}/rulesets`, {
+        method: "POST",
+        body: payload
+      });
+    }
+
+    console.log("\nDone.");
+    console.log(`Default branch '${selectedBranch}' now requires Pull Requests before changes can be merged.`);
+  } finally {
+    rl.close();
+  }
+}
+
+main().catch((error) => {
+  console.error(`\nError: ${error.message}`);
+  process.exit(1);
+});

package/package.json

@@ -0,0 +1,44 @@
+{
+  "name": "@lilpacy/setup-github-rules",
+  "version": "0.1.0",
+  "description": "One-shot interactive GitHub repository rules setup using gh CLI. No Terraform state, no generated files.",
+  "type": "module",
+  "bin": {
+    "setup-github-rules": "./bin/setup-github-rules.js"
+  },
+  "files": [
+    "bin/",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "check": "node --check ./bin/setup-github-rules.js",
+    "test": "node --test",
+    "prepublishOnly": "npm run check && npm test && npm pack --dry-run",
+    "start": "node ./bin/setup-github-rules.js"
+  },
+  "keywords": [
+    "cli",
+    "github",
+    "gh",
+    "ruleset",
+    "branch-protection",
+    "pull-request"
+  ],
+  "author": "lilpacy",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/lilpacy/setup-github-rules-cli.git"
+  },
+  "bugs": {
+    "url": "https://github.com/lilpacy/setup-github-rules-cli/issues"
+  },
+  "homepage": "https://github.com/lilpacy/setup-github-rules-cli#readme",
+  "engines": {
+    "node": ">=18"
+  },
+  "publishConfig": {
+    "access": "public"
+  }
+}