Skip to content

feat(template): add task setup:github for idempotent repo settings#86

Merged
evanharmon1 merged 2 commits into
mainfrom
feat/task-setup-github
Jun 23, 2026
Merged

feat(template): add task setup:github for idempotent repo settings#86
evanharmon1 merged 2 commits into
mainfrom
feat/task-setup-github

Conversation

@evanharmon1

@evanharmon1 evanharmon1 commented Jun 23, 2026

Copy link
Copy Markdown
Owner

Summary

The post-generation GitHub setup (CHECKLIST §2) was entirely manual. This adds a
task setup:github target to the generated Taskfile that applies the
fully idempotent, no-credential settings via gh — safe to re-run:

  • enable Dependabot alerts (PUT repos/$R/vulnerability-alerts)
  • enable private vulnerability reporting (PUT .../private-vulnerability-reporting)
  • set the FULL_SECURITY_SCAN variable (CodeQL)
  • (org repos only) add the <user>-bot account as a Write collaborator
setup:github:
  vars:
    REPO: "[[ github_org ]]/[[ project_slug ]]"
  cmds:
    - gh api "repos/{{.REPO}}/vulnerability-alerts" --method PUT
    - gh api "repos/{{.REPO}}/private-vulnerability-reporting" --method PUT
    - gh variable set FULL_SECURITY_SCAN --repo "{{.REPO}}" --body true
[% if github_org != author_git_provider_username %]
    - gh api "repos/{{.REPO}}/collaborators/[[ author_git_provider_username ]]-bot" --method PUT -f permission=push
[% endif %]

The collaborator step is jinja-gated to org repos (mirroring the CHECKLIST's
existing github_org != author_git_provider_username gate), so a personal repo's
rendered task omits it.

Deliberately left manual

Anything needing a browser OAuth consent (Renovate / CodeRabbit app installs,
GHCR publishing policy, CI GitHub App creation) or a real credential
(CLAUDE_CODE_OAUTH_TOKEN, SNYK_TOKEN, CI_APP_*, Project V2). The branch
ruleset import also stays manual — its POST /rulesets isn't idempotent (a guard
keyed on the ruleset name would be needed); I added an ordering note instead.

CHECKLIST §2 now leads with task setup:github and drops the three folded bullets
(Advanced Security, FULL_SECURITY_SCAN, bot collaborator).

Test plan

  • task test:template:all passes (all 5 profiles). ✅
  • Org render (github_org=someorg): REPO=someorg/..., collaborator line + "bot
    collaborator" in the desc present; task --list-all parses it. ✅
  • Personal render (default org): no collaborator line (0 matches), desc without
    "bot collaborator". ✅
  • Rendered docs/CHECKLIST.md §2 reads correctly with no leaked jinja markers. ✅

Context

Third in the series surfaced while applying the template to sommerlawn-infra
(after #84 markdownlint fixes and harmon-devkit#22). Scope was confirmed with the
maintainer: only the four fully-idempotent operations, nothing requiring guards,
credentials, or a browser.

🤖 Generated with Claude Code

evanharmon1 and others added 2 commits June 23, 2026 14:22
@evanharmon1 @claude
feat(template): add task setup:github for idempotent repo settings
36d1698 
The post-generation GitHub settings were all manual. Add a setup:github task
that applies the fully idempotent, no-credential ones via gh (safe to re-run):

- enable Dependabot alerts (PUT vulnerability-alerts)
- enable private vulnerability reporting (PUT private-vulnerability-reporting)
- set the FULL_SECURITY_SCAN variable (CodeQL)
- (org repos only) add the <user>-bot account as a Write collaborator

REPO is baked from [[ github_org ]]/[[ project_slug ]]; the collaborator step is
jinja-gated to org repos (github_org != author_git_provider_username), mirroring
the CHECKLIST. Steps that need a browser (Renovate/CodeRabbit app installs, GHCR
policy, CI App creation) or a real credential (Actions secrets, Project V2)
deliberately stay manual — wrapping those would just script a credential prompt.

CHECKLIST §2 now leads with `task setup:github` and drops the three folded
bullets (Advanced Security, FULL_SECURITY_SCAN, bot collaborator); the ruleset
import stays manual (its POST isn't idempotent) with an added ordering note.

Verified: task test:template:all passes; org and personal renders produce the
correct conditional cmds/desc and parse via `task --list-all`; rendered CHECKLIST
has no leaked jinja markers.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@evanharmon1
Merge branch 'main' into feat/task-setup-github
daf07b7
@evanharmon1 evanharmon1 merged commit 88a0940 into main Jun 23, 2026
9 checks passed
@evanharmon1 evanharmon1 deleted the feat/task-setup-github branch June 23, 2026 19:34
@evanharmon1-ci evanharmon1-ci Bot mentioned this pull request Jun 23, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@evanharmon1