feat(org-config): wire add-to-project into org-sync#9
Conversation
|
Note Merging this PR: this repository merges by fast-forward so every The branch must be up to date with |
|
/auto-merge |
|
Note Auto-merge armed. Once this PR is approved and every required check Remove the |
|
Cannot
|
Add a `workflows-sync` command that fans repo-config/workflows/*.yaml out to .github/workflows/ in every non-archived org repo via the Contents API — upsert only (never deletes), idempotent (skips byte-identical files), with a Signed-off-by trailer. In the same pass it links the shared Roadmap project onto each repo with `gh project link` (skipping repos already linked) so the board also shows on the repo's Projects tab, and backfills each repo's existing issues into the project with `gh project item-add` (ISSUE_STATE, default open; dedupes) so the board catches up on work opened before the workflow existed. Ship the canonical add-to-project caller it distributes: on `issues: opened` it calls the reusable github-workflows add-to-project workflow, adding the issue to the shared org Roadmap project so every repo's issues collect in one board. A Contents-API commit is unsigned (GitHub web-flow-signs only web-UI and GitHub App commits, not OAuth-token API writes), so pushing the caller to a public repo's protected default branch requires an org owner to bypass required_signatures and code_scanning; add OrganizationAdmin to the bypass_actors of public-release-branch-security and public-code-quality (pull_request is already bypassed) and apply with `org-config.sh import`. Closes bitwise-media-group#6 Signed-off-by: Deavon M. McCaffery <dmccaffery@users.noreply.github.com>
…ject The caller only triggered on `issues: [opened]`, so opened PRs never landed on the shared org Roadmap board. Add a `pull_request_target: [opened]` trigger. pull_request_target (not pull_request) so PRs opened from forks are captured too — a fork's pull_request event runs without secrets, which would fail the App-token mint. Safe here because the reusable workflow never checks out PR code; it only adds the item to the board. Existing repos keep the old trigger until the next `org-config.sh workflows-sync` re-pushes this caller; this fixes the canonical template so future syncs and newly created repos get it. Also add the standard `Copyright` / `SPDX-License-Identifier: MIT` header to the caller template, matching the org's reusable workflow files. Signed-off-by: Deavon M. McCaffery <dmccaffery@users.noreply.github.com>
Signed-off-by: Deavon M. McCaffery <dmccaffery@users.noreply.github.com>
eeeb99f to
dab16c9
Compare
|
Cannot
|
|
Fast-forwarded |
dab16c9
into
bitwise-media-group:main
Add a
workflows-synccommand that fans repo-config/workflows/*.yaml out to .github/workflows/ in every non-archived org repo via the Contents API — upsert only (never deletes), idempotent (skips byte-identical files), with a Signed-off-by trailer. In the same pass it links the shared Roadmap project onto each repo withgh project link(skipping repos already linked) so the board also shows on the repo's Projects tab, and backfills each repo's existing issues into the project withgh project item-add(ISSUE_STATE, default open; dedupes) so the board catches up on work opened before the workflow existed.Ship the canonical add-to-project caller it distributes: on
issues: openedit calls the reusable github-workflows add-to-project workflow, adding the issue to the shared org Roadmap project so every repo's issues collect in one board.A Contents-API commit is unsigned (GitHub web-flow-signs only web-UI and GitHub App commits, not OAuth-token API writes), so pushing the caller to a public repo's protected default branch requires an org owner to bypass required_signatures and code_scanning; add OrganizationAdmin to the bypass_actors of public-release-branch-security and public-code-quality (pull_request is already bypassed) and apply with
org-config.sh import.Closes #6