diff --git a/definitions/default/client.tf b/definitions/default/client.tf index 13435ba..8af0c94 100644 --- a/definitions/default/client.tf +++ b/definitions/default/client.tf @@ -93,6 +93,12 @@ locals { required = true always_overwrite = false }, + { + name = "renovate.json" + description = "Renovate dependency management configuration" + required = true + always_overwrite = false + }, ] // NOTE: Client sites do NOT have updates.xml — they are not installable extensions @@ -199,6 +205,18 @@ locals { required = true always_overwrite = true }, + { + name = "cascade-dev.yml" + description = "Forward-merge main to all open branches (dev, rc/*, beta/*, alpha/*) on push to main" + required = true + always_overwrite = true + }, + { + name = "gitleaks.yml" + description = "Secret scanning — detect leaked credentials, API keys, and tokens using Gitleaks" + required = true + always_overwrite = true + }, ] }, ] diff --git a/definitions/default/default-repository.json b/definitions/default/default-repository.json index 9407d58..739f1ab 100644 --- a/definitions/default/default-repository.json +++ b/definitions/default/default-repository.json @@ -86,6 +86,15 @@ "description": "Build automation", "requirementStatus": "suggested", "audience": "developer" + }, + { + "name": "renovate.json", + "extension": "json", + "description": "Renovate dependency management configuration", + "requirementStatus": "required", + "alwaysOverwrite": false, + "audience": "developer", + "template": "templates/configs/renovate.json" } ], "directories": [ @@ -158,7 +167,9 @@ "branch-freeze.yml", "changelog-validation.yml", "repository-cleanup.yml", - "sync-version-on-merge.yml" + "sync-version-on-merge.yml", + "cascade-dev.yml", + "gitleaks.yml" ] } ] diff --git a/definitions/default/dolibarr.tf b/definitions/default/dolibarr.tf index c560824..f610b2c 100644 --- a/definitions/default/dolibarr.tf +++ b/definitions/default/dolibarr.tf @@ -185,6 +185,15 @@ EOT protected = true audience = "all" template = "templates/docs/required/GOVERNANCE.md" + }, + { + name = "renovate.json" + extension = "json" + description = "Renovate dependency management configuration" + required = true + always_overwrite = false + audience = "developer" + template = "templates/configs/renovate.json" } ] @@ -1093,6 +1102,22 @@ EOT requirement_status = "required" always_overwrite = true template = "templates/workflows/dolibarr/repo_health.yml.template" + }, + { + name = "cascade-dev.yml" + extension = "yml" + description = "Forward-merge main to all open branches (dev, rc/*, beta/*, alpha/*) on push to main" + requirement_status = "required" + always_overwrite = true + template = "workflows/cascade-dev.yml" + }, + { + name = "gitleaks.yml" + extension = "yml" + description = "Secret scanning — detect leaked credentials, API keys, and tokens using Gitleaks" + requirement_status = "required" + always_overwrite = true + template = "workflows/gitleaks.yml" } ] }, diff --git a/definitions/default/generic.tf b/definitions/default/generic.tf index 6e2a533..b91084f 100644 --- a/definitions/default/generic.tf +++ b/definitions/default/generic.tf @@ -193,6 +193,15 @@ locals { always_overwrite = false audience = "developer" template = "templates/configs/composer.generic.json" + }, + { + name = "renovate.json" + extension = "json" + description = "Renovate dependency management configuration" + requirement_status = "required" + always_overwrite = false + audience = "developer" + template = "templates/configs/renovate.json" } ] @@ -443,6 +452,22 @@ locals { requirement_status = "required" always_overwrite = true template = "templates/workflows/shared/auto-dev-issue.yml.template" + }, + { + name = "cascade-dev.yml" + extension = "yml" + description = "Forward-merge main to all open branches (dev, rc/*, beta/*, alpha/*) on push to main" + requirement_status = "required" + always_overwrite = true + template = "workflows/cascade-dev.yml" + }, + { + name = "gitleaks.yml" + extension = "yml" + description = "Secret scanning — detect leaked credentials, API keys, and tokens using Gitleaks" + requirement_status = "required" + always_overwrite = true + template = "workflows/gitleaks.yml" } ] }, @@ -580,24 +605,46 @@ locals { { branch_pattern = "main" require_pull_request = true - required_approvals = 1 - require_code_owner_review = false + required_approvals = 0 dismiss_stale_reviews = true - require_status_checks = true - required_status_checks = ["ci", "code-quality"] - enforce_admins = false + block_on_rejected_reviews = true restrict_pushes = true + push_whitelist = ["jmiller"] + enable_force_push = true + force_push_whitelist = ["jmiller"] + enforce_admins = false }, { - branch_pattern = "master" - require_pull_request = true - required_approvals = 1 - require_code_owner_review = false - dismiss_stale_reviews = true - require_status_checks = true - required_status_checks = ["ci"] - enforce_admins = false - restrict_pushes = true + branch_pattern = "dev" + require_pull_request = false + required_approvals = 0 + restrict_pushes = false + enable_force_push = true + force_push_whitelist = ["jmiller"] + }, + { + branch_pattern = "rc/*" + require_pull_request = false + required_approvals = 0 + restrict_pushes = false + enable_force_push = true + force_push_whitelist = ["jmiller"] + }, + { + branch_pattern = "beta/*" + require_pull_request = false + required_approvals = 0 + restrict_pushes = false + enable_force_push = true + force_push_whitelist = ["jmiller"] + }, + { + branch_pattern = "alpha/*" + require_pull_request = false + required_approvals = 0 + restrict_pushes = false + enable_force_push = true + force_push_whitelist = ["jmiller"] } ] diff --git a/definitions/default/joomla.tf b/definitions/default/joomla.tf index 0a22e9b..5113317 100644 --- a/definitions/default/joomla.tf +++ b/definitions/default/joomla.tf @@ -239,6 +239,15 @@ locals { protected = true audience = "all" template = "templates/docs/required/GOVERNANCE.md" + }, + { + name = "renovate.json" + extension = "json" + description = "Renovate dependency management configuration" + required = true + always_overwrite = false + audience = "developer" + template = "templates/configs/renovate.json" } ] @@ -1114,6 +1123,22 @@ locals { requirement_status = "required" always_overwrite = true template = "workflows/cleanup.yml" + }, + { + name = "cascade-dev.yml" + extension = "yml" + description = "Forward-merge main to all open branches (dev, rc/*, beta/*, alpha/*) on push to main" + requirement_status = "required" + always_overwrite = true + template = "workflows/cascade-dev.yml" + }, + { + name = "gitleaks.yml" + extension = "yml" + description = "Secret scanning — detect leaked credentials, API keys, and tokens using Gitleaks" + requirement_status = "required" + always_overwrite = true + template = "workflows/gitleaks.yml" } ] }, diff --git a/definitions/default/platform.tf b/definitions/default/platform.tf index 8212f00..cd32b2d 100644 --- a/definitions/default/platform.tf +++ b/definitions/default/platform.tf @@ -91,6 +91,15 @@ locals { always_overwrite = false template = "managed-by-sync" source_type = "programmatic" + }, + { + name = "renovate.json" + extension = "json" + description = "Renovate dependency management configuration" + required = true + always_overwrite = false + audience = "developer" + template = "templates/configs/renovate.json" } ] @@ -219,6 +228,22 @@ locals { requirement_status = "required" always_overwrite = true template = "templates/workflows/dolibarr/repo_health.yml.template" + }, + { + name = "cascade-dev.yml" + extension = "yml" + description = "Forward-merge main to all open branches (dev, rc/*, beta/*, alpha/*) on push to main" + requirement_status = "required" + always_overwrite = true + template = "workflows/cascade-dev.yml" + }, + { + name = "gitleaks.yml" + extension = "yml" + description = "Secret scanning — detect leaked credentials, API keys, and tokens using Gitleaks" + requirement_status = "required" + always_overwrite = true + template = "workflows/gitleaks.yml" } ] }, diff --git a/definitions/default/standards.tf b/definitions/default/standards.tf index cd4732a..5b51f46 100644 --- a/definitions/default/standards.tf +++ b/definitions/default/standards.tf @@ -207,6 +207,15 @@ locals { audience = "developer" template = "managed-by-sync" source_type = "programmatic" + }, + { + name = "renovate.json" + extension = "json" + description = "Renovate dependency management configuration" + required = true + always_overwrite = false + audience = "developer" + template = "templates/configs/renovate.json" } ] @@ -497,6 +506,22 @@ locals { requirement_status = "required" always_overwrite = true template = "templates/workflows/shared/auto-dev-issue.yml.template" + }, + { + name = "cascade-dev.yml" + extension = "yml" + description = "Forward-merge main to all open branches (dev, rc/*, beta/*, alpha/*) on push to main" + requirement_status = "required" + always_overwrite = true + template = "workflows/cascade-dev.yml" + }, + { + name = "gitleaks.yml" + extension = "yml" + description = "Secret scanning — detect leaked credentials, API keys, and tokens using Gitleaks" + requirement_status = "required" + always_overwrite = true + template = "workflows/gitleaks.yml" } ] }, @@ -668,20 +693,52 @@ locals { } ] - branch_protections = { - main = { - required_status_checks = { - strict = true - contexts = ["standards-compliance", "code-quality"] - } - enforce_admins = false - required_pull_request_reviews = { - dismiss_stale_reviews = true - require_code_owner_reviews = true - required_approving_review_count = 1 - } + branch_protections = [ + { + branch_pattern = "main" + require_pull_request = true + required_approvals = 0 + dismiss_stale_reviews = true + block_on_rejected_reviews = true + restrict_pushes = true + push_whitelist = ["jmiller"] + enable_force_push = true + force_push_whitelist = ["jmiller"] + enforce_admins = false + }, + { + branch_pattern = "dev" + require_pull_request = false + required_approvals = 0 + restrict_pushes = false + enable_force_push = true + force_push_whitelist = ["jmiller"] + }, + { + branch_pattern = "rc/*" + require_pull_request = false + required_approvals = 0 + restrict_pushes = false + enable_force_push = true + force_push_whitelist = ["jmiller"] + }, + { + branch_pattern = "beta/*" + require_pull_request = false + required_approvals = 0 + restrict_pushes = false + enable_force_push = true + force_push_whitelist = ["jmiller"] + }, + { + branch_pattern = "alpha/*" + require_pull_request = false + required_approvals = 0 + restrict_pushes = false + enable_force_push = true + force_push_whitelist = ["jmiller"] } - } + ] repository_settings = { has_issues = true