Add setting workflow

[a5chin]

User description

Type of Change

• Hotfix
• Bug Fix
• Dependency Update
• Feature
• Refactor
• CI/CD
• Documentation

Related Issues

Breaking Changes

• No breaking changes
• API signature changed
• Configuration changed
• Behavior changed
• Dependencies changed
• Features removed

Checklist

• Dependencies added/updated
• New environment variables
• Performance impact assessed
• Security implications reviewed
• Deployment notes

Additional Context

---

PR Type

Enhancement

---

Description

• Implement setting.yml for repository configuration.

• Automate branch protection rules from protection.json.

• Enable auto-delete head branches on merge.

• Add approve.yml for bot pull request auto-approval.

---

Diagram Walkthrough

flowchart LR
  A["PR to setting.yml/protection.json"]
  B["Scheduled Event"]
  C["Manual Dispatch"]
  D["Repository Settings Workflow (.github/workflows/setting.yml)"]
  E["Delete Branch Job"]
  F["Set GitHub Pages Job"]
  G["Apply Branch Protection Job"]
  H[".github/protection.json"]
  I["Bot PR Opened"]
  J["Approver Workflow (.github/workflows/approve.yml)"]
  K["Approve PR"]

  A -- "Triggers" --> D
  B -- "Triggers" --> D
  C -- "Triggers" --> D
  D -- "Runs Job" --> E
  D -- "Runs Job" --> F
  D -- "Runs Job" --> G
  G -- "Reads Config" --> H
  I -- "Triggers" --> J
  J -- "Executes" --> K

Loading

File Walkthrough

	Relevant files
Configuration changes	4 files CODEOWNERS Remove `.github/` directory from code ownership                    +0/-1      protection.json Add configuration for branch protection rules                        +25/-0    gh-deploy.yml Add manual `workflow_dispatch` trigger                                      +1/-0      .sqlfluffignore Add `target/` directory to SQLFluff ignore list                    +1/-0
Enhancement	3 files approve.yml Add workflow to auto-approve pull requests from bots          +18/-0    setting.yml Add workflow for automated repository settings and branch protection +88/-0    test.yml Update coverage job to use GitHub App token for checkout  +9/-0

---

[a5chin]

/review

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪

🧪 No relevant tests

🔒 Security concerns Sensitive information exposure: The actions/create-github-app-token@v2 action, as used in this PR, does not specify explicit permissions. By default, it will request all permissions available to the GitHub App. This creates a security risk as the generated token will have overly broad privileges. If this token were to be compromised, it could allow an attacker to perform actions beyond what is necessary for the workflow, potentially leading to unauthorized repository modifications or data exposure. It is recommended to explicitly define the minimum required permissions for each job's token.

⚡ Recommended focus areas for review Token Permissions The GitHub App token generated by actions/create-github-app-token@v2 should specify the minimum required permissions for each job. Currently, it appears to request all available permissions for the app, which violates the principle of least privilege and could pose a security risk if the token is compromised. uses: actions/create-github-app-token@v2 with: app-id: ${{ vars.APP_ID }} private-key: ${{ secrets.APP_KEY }} Error Handling In the pages job, the gh api -X POST command uses --silent. If this command fails for reasons other than the page already existing (e.g., a permission error or malformed request), the error message will be suppressed, potentially masking underlying issues before the PUT attempt. gh api -X POST "repos/${{ github.repository }}/pages" \ -f "source[branch]=${{ env.BRANCH }}" \ -f "source[path]=${{ env.TARGET_PATH }}" --silent \ || \ gh api -X PUT "repos/${{ github.repository }}/pages" \ -f "source[branch]=${{ env.BRANCH }}" \ -f "source[path]=${{ env.TARGET_PATH }}" Temporary File Naming In the protection job, the temporary file for branch protection rules is named $BRANCH_protection.json. If a branch name contains characters invalid for a filename (e.g., /), this could lead to unexpected behavior or errors. Consider using a more robust method for temporary file creation or a fixed, unique temporary filename. jq -c ".\"$BRANCH\"" "$CONFIG_FILE" > "$BRANCH_protection.json"

[a5chin]

/improve

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (ac1598f) to head (f52ff96).
⚠️ Report is 49 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff            @@
##              main      #168   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            9         9           
  Lines          103       103           
  Branches         1         1           
=========================================
  Hits           103       103           

Flag	Coverage Δ
unittests	100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ac1598f...f52ff96. Read the comment docs.