@repository-settings/app 2.2.0-beta.2

package/LICENSE

@@ -0,0 +1,15 @@
+ISC License
+
+Copyright (c) 2017, Brandon Keepers
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

package/README.md

@@ -0,0 +1,227 @@
+# GitHub Settings
+
+<!--status-badges start -->
+
+[![Powered by Vercel][vercel-badge]][vercel-link]
+
+[![Node CI Workflow Status][github-actions-ci-badge]][github-actions-ci-link]
+[![Renovate][renovate-badge]][renovate-link]
+
+<!--status-badges end -->
+
+This GitHub App syncs repository settings defined in `.github/settings.yml` to GitHub, enabling Pull Requests for repository settings.
+
+## Usage
+
+1. __[Install the app](https://github.com/apps/settings)__.
+1. Create a `.github/settings.yml` file in your repository. Changes to this file on the default branch will be synced to GitHub.
+
+All top-level settings are optional. Some plugins do have required fields.
+
+```yaml
+# These settings are synced to GitHub by https://probot.github.io/apps/settings/
+
+repository:
+  # See https://docs.github.com/en/rest/reference/repos#update-a-repository for all available settings.
+
+  # The name of the repository. Changing this will rename the repository
+  name: repo-name
+
+  # A short description of the repository that will show up on GitHub
+  description: description of repo
+
+  # A URL with more information about the repository
+  homepage: https://example.github.io/
+
+  # A comma-separated list of topics to set on the repository
+  topics: github, probot
+
+  # Either `true` to make the repository private, or `false` to make it public.
+  private: false
+
+  # Either `true` to enable issues for this repository, `false` to disable them.
+  has_issues: true
+
+  # Either `true` to enable projects for this repository, or `false` to disable them.
+  # If projects are disabled for the organization, passing `true` will cause an API error.
+  has_projects: true
+
+  # Either `true` to enable the wiki for this repository, `false` to disable it.
+  has_wiki: true
+
+  # Either `true` to enable downloads for this repository, `false` to disable them.
+  has_downloads: true
+
+  # Updates the default branch for this repository.
+  default_branch: master
+
+  # Either `true` to allow squash-merging pull requests, or `false` to prevent
+  # squash-merging.
+  allow_squash_merge: true
+
+  # Either `true` to allow merging pull requests with a merge commit, or `false`
+  # to prevent merging pull requests with merge commits.
+  allow_merge_commit: true
+
+  # Either `true` to allow rebase-merging pull requests, or `false` to prevent
+  # rebase-merging.
+  allow_rebase_merge: true
+
+  # Either `true` to enable automatic deletion of branches on merge, or `false` to disable
+  delete_branch_on_merge: true
+
+  # Either `true` to enable automated security fixes, or `false` to disable
+  # automated security fixes.
+  enable_automated_security_fixes: true
+
+  # Either `true` to enable vulnerability alerts, or `false` to disable
+  # vulnerability alerts.
+  enable_vulnerability_alerts: true
+
+# Labels: define labels for Issues and Pull Requests
+labels:
+  - name: bug
+    color: CC0000
+    description: An issue with the system 🐛.
+
+  - name: feature
+    # If including a `#`, make sure to wrap it with quotes!
+    color: '#336699'
+    description: New functionality.
+
+  - name: Help Wanted
+    # Provide a new name to rename an existing label
+    new_name: first-timers-only
+
+# Milestones: define milestones for Issues and Pull Requests
+milestones:
+  - title: milestone-title
+    description: milestone-description
+    # The state of the milestone. Either `open` or `closed`
+    state: open
+
+# Collaborators: give specific users access to this repository.
+# See https://docs.github.com/en/rest/reference/repos#add-a-repository-collaborator for available options
+collaborators:
+  # - username: bkeepers
+  #   permission: push
+  # - username: hubot
+  #   permission: pull
+
+  # Note: `permission` is only valid on organization-owned repositories.
+  # The permission to grant the collaborator. Can be one of:
+  # * `pull` - can pull, but not push to or administer this repository.
+  # * `push` - can pull and push, but not administer this repository.
+  # * `admin` - can pull, push and administer this repository.
+  # * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
+  # * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
+
+# See https://docs.github.com/en/rest/deployments/environments#create-or-update-an-environment for available options
+# Note: deployment_branch_policy differs from the API for ease of use. Either protected_branches (boolean) OR custom_branches (array of strings) can be provided; this will manage the API requirements under the hood. See https://docs.github.com/en/rest/deployments/branch-policies for documentation of custom_branches. If both are provided in an unexpected manner, protected_branches will be used.
+# Either removing or simply not setting deployment_branch_policy will restore the default 'All branches' setting.
+environments:
+  - name: production
+    wait_timer: 5
+    reviewers:
+      - id: 1
+        type: 'Team'
+      - id: 2
+        type: 'User'
+    deployment_branch_policy:
+      protected_branches: true
+  - name: development
+    deployment_branch_policy:
+      custom_branches:
+        - main
+        - dev/*
+
+# See https://docs.github.com/en/rest/reference/teams#add-or-update-team-repository-permissions for available options
+teams:
+  - name: core
+    # The permission to grant the team. Can be one of:
+    # * `pull` - can pull, but not push to or administer this repository.
+    # * `push` - can pull and push, but not administer this repository.
+    # * `admin` - can pull, push and administer this repository.
+    # * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
+    # * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
+    permission: admin
+  - name: docs
+    permission: push
+
+branches:
+  - name: master
+    # https://docs.github.com/en/rest/reference/repos#update-branch-protection
+    # Branch Protection settings. Set to null to disable
+    protection:
+      # Required. Require at least one approving review on a pull request, before merging. Set to null to disable.
+      required_pull_request_reviews:
+        # The number of approvals required. (1-6)
+        required_approving_review_count: 1
+        # Dismiss approved reviews automatically when a new commit is pushed.
+        dismiss_stale_reviews: true
+        # Blocks merge until code owners have reviewed.
+        require_code_owner_reviews: true
+        # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories.
+        dismissal_restrictions:
+          users: []
+          teams: []
+      # Required. Require status checks to pass before merging. Set to null to disable
+      required_status_checks:
+        # Required. Require branches to be up to date before merging.
+        strict: true
+        # Required. The list of status checks to require in order to merge into this branch
+        contexts: []
+      # Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable.
+      enforce_admins: true
+      # Prevent merge commits from being pushed to matching branches
+      required_linear_history: true
+      # Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable.
+      restrictions:
+        apps: []
+        users: []
+        teams: []
+```
+
+### Notes
+
+1. Label color can also start with `#`, e.g. `color: '#F341B2'`. Make sure to wrap it with quotes!
+1. Each top-level element under branch protection must be filled (eg: `required_pull_request_reviews`, `required_status_checks`, `enforce_admins` and `restrictions`). If you don't want to use one of them you must set it to `null` (see comments in the example above). Otherwise, none of the settings will be applied.
+
+### Inheritance
+
+This app is built with [probot](https://github.com/probot/probot), and thus uses the [octokit-plugin-config](https://github.com/probot/octokit-plugin-config). This means you can inherit settings from another repo, and only override what you want to change.
+
+Individual settings in the arrays listed under `labels`, `teams` (once it is supported) and `branches` will be merged with the base repo if the `name` of an element in the array matches the `name` of an element in the corresponding array in the base repo. A possible future enhancement would be to make that work for the other settings arrays based on `username`, or `title`. This is not currently supported.
+
+To further clarify: Inheritance within the Protected Branches plugin allows you to override specific settings per branch. For example, your `.github` repo may set default protection on the `master` branch. You can then include `master` in your `branches` array, and only override the `required_approving_review_count`.
+Alternatively, you might only have a branch like `develop` in your `branches` array, and would still get `master` protection from your base repo.
+
+## Security Implications
+
+__WARNING:__ Note that this app inherently _escalates anyone with `push` permissions to the __admin__ role_, since they can push config settings to the `master` branch, which will be synced. In a future, we may add restrictions to allow changes to the config file to be merged only by specific people/teams, or those with __admin__ access _(via a combination of protected branches, required statuses, and branch restrictions)_. Until then, use caution when merging PRs and adding collaborators.
+
+Until restrictions are added in this app, one way to preserve admin/push permissions is to utilize the [GitHub CodeOwners feature](https://help.github.com/articles/about-codeowners/) to set one or more administrative users as the code owner of the `.github/settings.yml` file, and turn on "require code owner review" for the master branch. This does have the side effect of requiring code owner review for the entire branch, but helps preserve permission levels.
+
+## Deployment
+
+<!--consumer-badges start -->
+
+![node][node-badge]
+
+<!--consumer-badges end -->
+
+See [docs/deploy.md](docs/deploy.md) if you would like to run your own instance of this plugin.
+
+[github-actions-ci-link]: https://github.com/repository-settings/app/actions?query=workflow%3A%22Node.js+CI%22+branch%3Amaster
+
+[github-actions-ci-badge]: https://github.com/repository-settings/app/workflows/Node.js%20CI/badge.svg
+
+[renovate-link]: https://renovatebot.com
+
+[renovate-badge]: https://img.shields.io/badge/renovate-enabled-brightgreen.svg?logo=renovatebot
+
+[node-badge]: https://img.shields.io/node/v/probot-settings?logo=node.js
+
+[vercel-badge]: https://github.com/repository-settings/app/raw/master/assets/powered-by-vercel.svg
+
+[vercel-link]: https://vercel.com?utm_source=repository-settings&utm_campaign=oss

package/index.js

@@ -0,0 +1,51 @@
+const mergeArrayByName = require('./lib/mergeArrayByName')
+
+/**
+ * @param {import('probot').Probot} robot
+ */
+module.exports = (robot, _, Settings = require('./lib/settings')) => {
+  async function syncSettings (context, repo = context.repo()) {
+    const config = await context.config('settings.yml', {}, { arrayMerge: mergeArrayByName })
+    return Settings.sync(context.octokit, repo, config)
+  }
+
+  robot.on('push', async context => {
+    const { payload } = context
+    const { repository } = payload
+
+    const defaultBranch = payload.ref === 'refs/heads/' + repository.default_branch
+    if (!defaultBranch) {
+      robot.log.debug('Not working on the default branch, returning...')
+      return
+    }
+
+    const settingsModified = payload.commits.find(commit => {
+      return commit.added.includes(Settings.FILE_NAME) || commit.modified.includes(Settings.FILE_NAME)
+    })
+
+    if (!settingsModified) {
+      robot.log.debug(`No changes in '${Settings.FILE_NAME}' detected, returning...`)
+      return
+    }
+
+    return syncSettings(context)
+  })
+
+  robot.on('repository.edited', async context => {
+    const { payload } = context
+    const { changes, repository } = payload
+
+    if (!Object.prototype.hasOwnProperty.call(changes, 'default_branch')) {
+      robot.log.debug('Repository configuration was edited but the default branch was not affected, returning...')
+      return
+    }
+
+    robot.log.debug(`Default branch changed from '${changes.default_branch.from}' to '${repository.default_branch}'`)
+
+    return syncSettings(context)
+  })
+
+  robot.on('repository.created', async context => {
+    return syncSettings(context)
+  })
+}

package/lib/mergeArrayByName.js

@@ -0,0 +1,28 @@
+// https://github.com/KyleAMathews/deepmerge#arraymerge
+
+const merge = require('deepmerge')
+
+function findMatchingIndex (sourceItem, target) {
+  if (Object.prototype.hasOwnProperty.call(sourceItem, 'name')) {
+    return target
+      .filter(targetItem => Object.prototype.hasOwnProperty.call(targetItem, 'name'))
+      .findIndex(targetItem => sourceItem.name === targetItem.name)
+  }
+}
+
+function mergeByName (target, source, options) {
+  const destination = target.slice()
+
+  source.forEach(sourceItem => {
+    const matchingIndex = findMatchingIndex(sourceItem, target)
+    if (matchingIndex > -1) {
+      destination[matchingIndex] = merge(target[matchingIndex], sourceItem, options)
+    } else {
+      destination.push(sourceItem)
+    }
+  })
+
+  return destination
+}
+
+module.exports = mergeByName

package/lib/plugins/branches.js

@@ -0,0 +1,33 @@
+const previewHeaders = {
+  accept:
+    'application/vnd.github.hellcat-preview+json,application/vnd.github.luke-cage-preview+json,application/vnd.github.zzzax-preview+json'
+}
+
+module.exports = class Branches {
+  constructor (github, repo, settings) {
+    this.github = github
+    this.repo = repo
+    this.branches = settings
+  }
+
+  sync () {
+    return Promise.all(
+      this.branches
+        .filter(branch => branch.protection !== undefined)
+        .map(branch => {
+          const params = Object.assign(this.repo, { branch: branch.name })
+
+          if (this.isEmpty(branch.protection)) {
+            return this.github.repos.deleteBranchProtection(params)
+          } else {
+            Object.assign(params, branch.protection, { headers: previewHeaders })
+            return this.github.repos.updateBranchProtection(params)
+          }
+        })
+    )
+  }
+
+  isEmpty (maybeEmpty) {
+    return maybeEmpty === null || Object.keys(maybeEmpty).length === 0
+  }
+}

package/lib/plugins/collaborators.js

@@ -0,0 +1,51 @@
+const Diffable = require('./diffable')
+
+module.exports = class Collaborators extends Diffable {
+  constructor (...args) {
+    super(...args)
+
+    if (this.entries) {
+      // Force all usernames to lowercase to avoid comparison issues.
+      this.entries.forEach(collaborator => {
+        collaborator.username = collaborator.username.toLowerCase()
+      })
+    }
+  }
+
+  find () {
+    return this.github.repos
+      .listCollaborators({ repo: this.repo.repo, owner: this.repo.owner, affiliation: 'direct' })
+      .then(res => {
+        return res.data.map(user => {
+          return {
+            // Force all usernames to lowercase to avoid comparison issues.
+            username: user.login.toLowerCase(),
+            permission:
+              (user.permissions.admin && 'admin') ||
+              (user.permissions.push && 'push') ||
+              (user.permissions.pull && 'pull')
+          }
+        })
+      })
+  }
+
+  comparator (existing, attrs) {
+    return existing.username === attrs.username
+  }
+
+  changed (existing, attrs) {
+    return existing.permission !== attrs.permission
+  }
+
+  update (existing, attrs) {
+    return this.add(attrs)
+  }
+
+  add (attrs) {
+    return this.github.repos.addCollaborator(Object.assign({}, attrs, this.repo))
+  }
+
+  remove (existing) {
+    return this.github.repos.removeCollaborator(Object.assign({ username: existing.username }, this.repo))
+  }
+}

package/lib/plugins/diffable.js

@@ -0,0 +1,56 @@
+// Base class to make it easy to check for changes to a list of items
+//
+//     class Thing extends Diffable {
+//       find() {
+//       }
+//
+//       comparator(existing, attrs) {
+//       }
+//
+//       changed(existing, attrs) {
+//       }
+//
+//       update(existing, attrs) {
+//       }
+//
+//       add(attrs) {
+//       }
+//
+//       remove(existing) {
+//       }
+//     }
+module.exports = class Diffable {
+  constructor (github, repo, entries) {
+    this.github = github
+    this.repo = repo
+    this.entries = entries
+  }
+
+  sync () {
+    if (this.entries) {
+      return this.find().then(existingRecords => {
+        const changes = []
+
+        this.entries.forEach(attrs => {
+          const existing = existingRecords.find(record => {
+            return this.comparator(record, attrs)
+          })
+
+          if (!existing) {
+            changes.push(this.add(attrs))
+          } else if (this.changed(existing, attrs)) {
+            changes.push(this.update(existing, attrs))
+          }
+        })
+
+        existingRecords.forEach(x => {
+          if (!this.entries.find(y => this.comparator(x, y))) {
+            changes.push(this.remove(x))
+          }
+        })
+
+        return Promise.all(changes)
+      })
+    }
+  }
+}

package/lib/plugins/environments.js

@@ -0,0 +1,180 @@
+const Diffable = require('./diffable')
+
+const environmentRepoEndpoint = '/repos/:org/:repo/environments/:environment_name'
+
+module.exports = class Environments extends Diffable {
+  constructor (...args) {
+    super(...args)
+
+    if (this.entries) {
+      // Force all names to lowercase to avoid comparison issues.
+      this.entries.forEach(environment => {
+        environment.name = environment.name.toLowerCase()
+      })
+    }
+  }
+
+  async find () {
+    const {
+      data: { environments }
+    } = await this.github.request('GET /repos/:org/:repo/environments', {
+      org: this.repo.owner,
+      repo: this.repo.repo
+    })
+    return Promise.all(
+      environments.map(async environment => {
+        if (environment.deployment_branch_policy) {
+          if (environment.deployment_branch_policy.custom_branch_policies) {
+            const branchPolicies = await this.getDeploymentBranchPolicies(
+              this.repo.owner,
+              this.repo.repo,
+              environment.name
+            )
+            environment.deployment_branch_policy = {
+              custom_branches: branchPolicies.map(_ => _.name)
+            }
+          } else {
+            environment.deployment_branch_policy = {
+              protected_branches: true
+            }
+          }
+        }
+        return {
+          ...environment,
+          // Force all names to lowercase to avoid comparison issues.
+          name: environment.name.toLowerCase()
+        }
+      })
+    )
+  }
+
+  comparator (existing, attrs) {
+    return existing.name === attrs.name
+  }
+
+  changed (existing, attrs) {
+    if (!attrs.wait_timer) attrs.wait_timer = 0
+    return (
+      (existing.wait_timer || 0) !== attrs.wait_timer ||
+      this.reviewersToString(existing.reviewers) !== this.reviewersToString(attrs.reviewers) ||
+      this.deploymentBranchPolicyToString(existing.deployment_branch_policy) !==
+        this.deploymentBranchPolicyToString(attrs.deployment_branch_policy)
+    )
+  }
+
+  async update (existing, attrs) {
+    if (existing.deployment_branch_policy && existing.deployment_branch_policy.custom_branches) {
+      const branchPolicies = await this.getDeploymentBranchPolicies(this.repo.owner, this.repo.repo, existing.name)
+      await Promise.all(
+        branchPolicies.map(branchPolicy =>
+          this.github.request(
+            'DELETE /repos/:org/:repo/environments/:environment_name/deployment-branch-policies/:id',
+            {
+              org: this.repo.owner,
+              repo: this.repo.repo,
+              environment_name: existing.name,
+              id: branchPolicy.id
+            }
+          )
+        )
+      )
+    }
+    return this.add(attrs)
+  }
+
+  async add (attrs) {
+    await this.github.request(`PUT ${environmentRepoEndpoint}`, this.toParams({ name: attrs.name }, attrs))
+    if (attrs.deployment_branch_policy && attrs.deployment_branch_policy.custom_branches) {
+      await Promise.all(
+        attrs.deployment_branch_policy.custom_branches.map(name =>
+          this.github.request(`POST /repos/:org/:repo/environments/:environment_name/deployment-branch-policies`, {
+            org: this.repo.owner,
+            repo: this.repo.repo,
+            environment_name: attrs.name,
+            name
+          })
+        )
+      )
+    }
+  }
+
+  remove (existing) {
+    return this.github.request(`DELETE ${environmentRepoEndpoint}`, {
+      environment_name: existing.name,
+      repo: this.repo.repo,
+      org: this.repo.owner
+    })
+  }
+
+  reviewersToString (attrs) {
+    if (attrs === null || attrs === undefined) {
+      return ''
+    } else {
+      attrs.sort((a, b) => {
+        if (a.id < b.id) return -1
+        if (a.id > b.id) return 1
+        if (a.type < b.type) return -1
+        if (a.type > b.type) return 1
+        return 0
+      })
+      return JSON.stringify(
+        attrs.map(reviewer => {
+          return {
+            id: reviewer.id,
+            type: reviewer.type
+          }
+        })
+      )
+    }
+  }
+
+  deploymentBranchPolicyToString (attrs) {
+    if (attrs === null || attrs === undefined) {
+      return ''
+    } else {
+      return JSON.stringify(
+        this.shouldUseProtectedBranches(attrs.protected_branches, attrs.custom_branches)
+          ? { protected_branches: true }
+          : { custom_branches: attrs.custom_branches.sort() }
+      )
+    }
+  }
+
+  async getDeploymentBranchPolicies (owner, repo, environmentName) {
+    const {
+      data: { branch_policies: branchPolicies }
+    } = await this.github.request('GET /repos/:org/:repo/environments/:environment_name/deployment-branch-policies', {
+      org: owner,
+      repo,
+      environment_name: environmentName
+    })
+    return branchPolicies
+  }
+
+  toParams (existing, attrs) {
+    const deploymentBranchPolicy = attrs.deployment_branch_policy
+      ? this.shouldUseProtectedBranches(
+          attrs.deployment_branch_policy.protected_branches,
+          attrs.deployment_branch_policy.custom_branches
+        )
+        ? { protected_branches: true, custom_branch_policies: false }
+        : { protected_branches: false, custom_branch_policies: true }
+      : null
+    return {
+      environment_name: existing.name,
+      repo: this.repo.repo,
+      org: this.repo.owner,
+      wait_timer: attrs.wait_timer,
+      reviewers: attrs.reviewers,
+      deployment_branch_policy: deploymentBranchPolicy
+    }
+  }
+
+  shouldUseProtectedBranches (protectedBranches, customBranchPolicies) {
+    if (protectedBranches || customBranchPolicies === undefined || customBranchPolicies === null) {
+      return true // Returning booleans like this to avoid unexpected datatypes that result in truthy values
+    } else {
+      return false
+    }
+  }
+}

package/lib/plugins/labels.js

@@ -0,0 +1,49 @@
+const Diffable = require('./diffable')
+const previewHeaders = { accept: 'application/vnd.github.symmetra-preview+json' }
+
+module.exports = class Labels extends Diffable {
+  constructor (...args) {
+    super(...args)
+
+    if (this.entries) {
+      this.entries.forEach(label => {
+        // Force color to string since some hex colors can be numerical (e.g. 999999)
+        if (label.color) {
+          label.color = String(label.color).replace(/^#/, '')
+          if (label.color.length < 6) {
+            label.color = label.color.padStart(6, '0')
+          }
+        }
+      })
+    }
+  }
+
+  find () {
+    const options = this.github.issues.listLabelsForRepo.endpoint.merge(this.wrapAttrs({ per_page: 100 }))
+    return this.github.paginate(options)
+  }
+
+  comparator (existing, attrs) {
+    return existing.name === attrs.name
+  }
+
+  changed (existing, attrs) {
+    return 'new_name' in attrs || existing.color !== attrs.color || existing.description !== attrs.description
+  }
+
+  update (existing, attrs) {
+    return this.github.issues.updateLabel(this.wrapAttrs(attrs))
+  }
+
+  add (attrs) {
+    return this.github.issues.createLabel(this.wrapAttrs(attrs))
+  }
+
+  remove (existing) {
+    return this.github.issues.deleteLabel(this.wrapAttrs({ name: existing.name }))
+  }
+
+  wrapAttrs (attrs) {
+    return Object.assign({}, attrs, this.repo, { headers: previewHeaders })
+  }
+}

package/lib/plugins/milestones.js

@@ -0,0 +1,50 @@
+const Diffable = require('./diffable')
+
+module.exports = class Milestones extends Diffable {
+  constructor (...args) {
+    super(...args)
+
+    if (this.entries) {
+      this.entries.forEach(milestone => {
+        if (milestone.due_on) {
+          delete milestone.due_on
+        }
+      })
+    }
+  }
+
+  find () {
+    const options = this.github.issues.listMilestones.endpoint.merge(
+      Object.assign({ per_page: 100, state: 'all' }, this.repo)
+    )
+    return this.github.paginate(options)
+  }
+
+  comparator (existing, attrs) {
+    return existing.title === attrs.title
+  }
+
+  changed (existing, attrs) {
+    return existing.description !== attrs.description || existing.state !== attrs.state
+  }
+
+  update (existing, attrs) {
+    const { owner, repo } = this.repo
+
+    return this.github.issues.updateMilestone(
+      Object.assign({ milestone_number: existing.number }, attrs, { owner, repo })
+    )
+  }
+
+  add (attrs) {
+    const { owner, repo } = this.repo
+
+    return this.github.issues.createMilestone(Object.assign({}, attrs, { owner, repo }))
+  }
+
+  remove (existing) {
+    const { owner, repo } = this.repo
+
+    return this.github.issues.deleteMilestone(Object.assign({ milestone_number: existing.number }, { owner, repo }))
+  }
+}

package/lib/plugins/repository.js

@@ -0,0 +1,68 @@
+const enableAutomatedSecurityFixes = ({ github, settings, enabled }) => {
+  if (enabled === undefined) {
+    return Promise.resolve()
+  }
+
+  const args = {
+    owner: settings.owner,
+    repo: settings.repo,
+    mediaType: {
+      previews: ['london']
+    }
+  }
+  const methodName = enabled ? 'enableAutomatedSecurityFixes' : 'disableAutomatedSecurityFixes'
+
+  return github.repos[methodName](args)
+}
+
+const enableVulnerabilityAlerts = ({ github, settings, enabled }) => {
+  if (enabled === undefined) {
+    return Promise.resolve()
+  }
+
+  const args = {
+    owner: settings.owner,
+    repo: settings.repo,
+    mediaType: {
+      previews: ['dorian']
+    }
+  }
+  const methodName = enabled ? 'enableVulnerabilityAlerts' : 'disableVulnerabilityAlerts'
+
+  return github.repos[methodName](args)
+}
+
+module.exports = class Repository {
+  constructor (github, repo, settings) {
+    this.github = github
+    this.settings = Object.assign({ mediaType: { previews: ['baptiste'] } }, settings, repo)
+    this.topics = this.settings.topics
+    delete this.settings.topics
+
+    this.enableVulnerabilityAlerts = this.settings.enable_vulnerability_alerts
+    delete this.settings.enable_vulnerability_alerts
+
+    this.enableAutomatedSecurityFixes = this.settings.enable_automated_security_fixes
+    delete this.settings.enable_automated_security_fixes
+  }
+
+  sync () {
+    this.settings.name = this.settings.name || this.settings.repo
+    return this.github.repos
+      .update(this.settings)
+      .then(() => {
+        if (this.topics) {
+          return this.github.repos.replaceAllTopics({
+            owner: this.settings.owner,
+            repo: this.settings.repo,
+            names: this.topics.split(/\s*,\s*/),
+            mediaType: {
+              previews: ['mercy']
+            }
+          })
+        }
+      })
+      .then(() => enableVulnerabilityAlerts({ enabled: this.enableVulnerabilityAlerts, ...this }))
+      .then(() => enableAutomatedSecurityFixes({ enabled: this.enableAutomatedSecurityFixes, ...this }))
+  }
+}

package/lib/plugins/teams.js

@@ -0,0 +1,50 @@
+const Diffable = require('./diffable')
+
+// it is necessary to use this endpoint until GitHub Enterprise supports
+// the modern version under /orgs
+const teamRepoEndpoint = '/teams/:team_id/repos/:owner/:repo'
+
+module.exports = class Teams extends Diffable {
+  find () {
+    return this.github.repos.listTeams(this.repo).then(res => res.data)
+  }
+
+  comparator (existing, attrs) {
+    return existing.slug === attrs.name
+  }
+
+  changed (existing, attrs) {
+    return existing.permission !== attrs.permission
+  }
+
+  update (existing, attrs) {
+    return this.github.request(`PUT ${teamRepoEndpoint}`, this.toParams(existing, attrs))
+  }
+
+  async add (attrs) {
+    const { data: existing } = await this.github.request('GET /orgs/:org/teams/:team_slug', {
+      org: this.repo.owner,
+      team_slug: attrs.name
+    })
+
+    return this.github.request(`PUT ${teamRepoEndpoint}`, this.toParams(existing, attrs))
+  }
+
+  remove (existing) {
+    return this.github.request(`DELETE ${teamRepoEndpoint}`, {
+      team_id: existing.id,
+      ...this.repo,
+      org: this.repo.owner
+    })
+  }
+
+  toParams (existing, attrs) {
+    return {
+      team_id: existing.id,
+      owner: this.repo.owner,
+      repo: this.repo.repo,
+      org: this.repo.owner,
+      permission: attrs.permission
+    }
+  }
+}

package/lib/settings.js

@@ -0,0 +1,47 @@
+class Settings {
+  static sync (github, repo, config) {
+    return new Settings(github, repo, config).update()
+  }
+
+  constructor (github, repo, config) {
+    this.github = github
+    this.repo = repo
+    this.config = config
+  }
+
+  update () {
+    const { branches, ...rest } = this.config
+
+    return Promise.all(
+      Object.entries(rest).map(([section, config]) => {
+        return this.processSection(section, config)
+      })
+    ).then(() => {
+      if (branches) {
+        return this.processSection('branches', branches)
+      }
+    })
+  }
+
+  processSection (section, config) {
+    const debug = { repo: this.repo }
+    debug[section] = config
+
+    const Plugin = Settings.PLUGINS[section]
+    return new Plugin(this.github, this.repo, config).sync()
+  }
+}
+
+Settings.FILE_NAME = '.github/settings.yml'
+
+Settings.PLUGINS = {
+  repository: require('./plugins/repository'),
+  labels: require('./plugins/labels'),
+  collaborators: require('./plugins/collaborators'),
+  environments: require('./plugins/environments'),
+  teams: require('./plugins/teams'),
+  milestones: require('./plugins/milestones'),
+  branches: require('./plugins/branches')
+}
+
+module.exports = Settings

package/package.json

@@ -0,0 +1,68 @@
+{
+  "name": "@repository-settings/app",
+  "version": "2.2.0-beta.2",
+  "description": "Pull Requests for GitHub repository settings",
+  "repository": "github:repository-settings/app",
+  "main": "index.js",
+  "scripts": {
+    "dev": "nodemon",
+    "start": "probot run ./index.js",
+    "test": "npm-run-all --print-label --parallel lint:* --parallel test:*",
+    "lint:js": "prettier-standard --lint --check",
+    "lint:js:fix": "prettier-standard --format --lint",
+    "lint:lockfile": "lockfile-lint --path package-lock.json --type npm --validate-https --allowed-hosts npm",
+    "lint:engines": "ls-engines",
+    "lint:peer": "npm ls >/dev/null",
+    "test:unit": "jest 'test/unit/'",
+    "test:unit:watch": "npm run test:unit -- --watch",
+    "test:integration": "jest 'test/integration/'",
+    "test:integration:debug": "LOG_LEVEL=debug DEBUG=nock.* run-s test:integration"
+  },
+  "author": "Brandon Keepers",
+  "license": "ISC",
+  "dependencies": {
+    "deepmerge": "4.3.1",
+    "js-yaml": "4.1.0",
+    "probot": "12.3.3"
+  },
+  "devDependencies": {
+    "@travi/any": "3.0.2",
+    "http-status-codes": "2.3.0",
+    "jest": "29.7.0",
+    "jest-when": "3.6.0",
+    "lockfile-lint": "4.12.1",
+    "ls-engines": "0.9.1",
+    "nock": "13.4.0",
+    "nodemon": "3.0.2",
+    "npm-run-all2": "6.1.1",
+    "prettier-standard": "16.4.1",
+    "smee-client": "2.0.0",
+    "standard": "17.1.0"
+  },
+  "standard": {
+    "env": [
+      "jest"
+    ]
+  },
+  "engines": {
+    "node": ">=16"
+  },
+  "jest": {
+    "testEnvironment": "node"
+  },
+  "nodemonConfig": {
+    "exec": "npm start",
+    "watch": [
+      ".env",
+      "."
+    ]
+  },
+  "files": [
+    "index.js",
+    "lib/"
+  ],
+  "publishConfig": {
+    "access": "public",
+    "provenance": true
+  }
+}