Add setting workflow

[a5chin]

User description

Type of Change

• Hotfix
• Bug Fix
• Dependency Update
• Feature
• Refactor
• CI/CD
• Documentation

Related Issues

Breaking Changes

• No breaking changes
• API signature changed
• Configuration changed
• Behavior changed
• Dependencies changed
• Features removed

Checklist

• Dependencies added/updated
• New environment variables
• Performance impact assessed
• Security implications reviewed
• Deployment notes

Additional Context

---

PR Type

Enhancement

---

Description

• Introduce a new workflow for repository settings.

• Automate branch protection rules from protection.json.

• Enable auto-deletion of head branches on merge.

• Configure GitHub Pages source branch and path.

---

Diagram Walkthrough

flowchart LR
  A[Trigger: PR, Schedule, Dispatch] --> B{setting.yml Workflow};
  B --> C[Job: delete-branch];
  B --> D[Job: pages];
  B --> E[Job: protection];
  C -- "Enables" --> F[Auto-delete Head Branches];
  D -- "Sets" --> G[GitHub Pages Source];
  E -- "Reads" --> H[.github/protection.json];
  E -- "Applies" --> I[Branch Protection Rules];

Loading

File Walkthrough

	Relevant files
Configuration changes	CODEOWNERS Update CODEOWNERS configuration                                                    .github/CODEOWNERS Removed .github/ from the CODEOWNERS list. +0/-1      protection.json Define branch protection rules for main and gh-pages          .github/protection.json Added a new file to define branch protection rules. Configured main branch to require 1 approving review and code owner reviews. Disabled force pushes and deletions for the main branch. Configured gh-pages branch to allow force pushes. +25/-0    .sqlfluffignore Ignore target directory in SQLFluff                                            .sqlfluffignore Added target/ to the ignore list for SQLFluff linting. +1/-0
Enhancement	gh-deploy.yml Add manual trigger for gh-deploy workflow                                .github/workflows/gh-deploy.yml Added workflow_dispatch to allow manual triggering of the workflow. +1/-0      setting.yml New workflow for automated repository settings and branch protection .github/workflows/setting.yml Introduced a new workflow for managing repository settings. Configured triggers for pull requests, daily schedule, and manual dispatch. Added a job delete-branch to enable auto-deletion of head branches on merge. Included a job pages to set the GitHub Pages source branch and path. Implemented a protection job to apply branch protection rules defined in .github/protection.json. +88/-0

---

[a5chin]

/review

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪

🧪 No relevant tests

🔒 Security concerns Sensitive information exposure: The actions/create-github-app-token@v2 action, as used in this PR, does not specify explicit permissions. By default, it will request all permissions available to the GitHub App. This creates a security risk as the generated token will have overly broad privileges. If this token were to be compromised, it could allow an attacker to perform actions beyond what is necessary for the workflow, potentially leading to unauthorized repository modifications or data exposure. It is recommended to explicitly define the minimum required permissions for each job's token.

⚡ Recommended focus areas for review Token Permissions The GitHub App token generated by actions/create-github-app-token@v2 should specify the minimum required permissions for each job. Currently, it appears to request all available permissions for the app, which violates the principle of least privilege and could pose a security risk if the token is compromised. uses: actions/create-github-app-token@v2 with: app-id: ${{ vars.APP_ID }} private-key: ${{ secrets.APP_KEY }} Error Handling In the pages job, the gh api -X POST command uses --silent. If this command fails for reasons other than the page already existing (e.g., a permission error or malformed request), the error message will be suppressed, potentially masking underlying issues before the PUT attempt. gh api -X POST "repos/${{ github.repository }}/pages" \ -f "source[branch]=${{ env.BRANCH }}" \ -f "source[path]=${{ env.TARGET_PATH }}" --silent \ || \ gh api -X PUT "repos/${{ github.repository }}/pages" \ -f "source[branch]=${{ env.BRANCH }}" \ -f "source[path]=${{ env.TARGET_PATH }}" Temporary File Naming In the protection job, the temporary file for branch protection rules is named $BRANCH_protection.json. If a branch name contains characters invalid for a filename (e.g., /), this could lead to unexpected behavior or errors. Consider using a more robust method for temporary file creation or a fixed, unique temporary filename. jq -c ".\"$BRANCH\"" "$CONFIG_FILE" > "$BRANCH_protection.json"

[a5chin]

/improve