Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/cuioss/cuioss-organization

Contains organization specific defaults and documentation
https://github.com/cuioss/cuioss-organization

Last synced: 3 months ago
JSON representation

Contains organization specific defaults and documentation

Awesome Lists containing this project

README 

          
= cuioss Organization Configuration

:toc:

:toc-placement: preamble



image:https://github.com/cuioss/cuioss-organization/actions/workflows/python-verify.yml/badge.svg[Python Verify,link=https://github.com/cuioss/cuioss-organization/actions/workflows/python-verify.yml]



Centralized configuration, workflows, and tooling for all cuioss repositories.



== Overview



This repository contains shared infrastructure for the cuioss organization:



[cols="1,2"]

|===

|Directory |Purpose



|`docs/`

|Documentation (workflows, secrets, releasing, release-bot)



|`branch-protection/`

|Scripts to apply consistent branch protection across repos



|`repo-settings/`

|Scripts to apply consistent repository settings (security, features, merge)



|`.github/workflows/`

|Reusable GitHub Actions workflows

|===



== Related Repository



https://github.com/cuioss/.github[cuioss/.github] - Organization-wide community health files (SECURITY.md, CONTRIBUTING.md, issue templates) that are automatically inherited by all repos.



== Quick Start: Setup a Consumer Repository



The fastest way to onboard a repository is the Claude Code `/setup-consumer-repo` command, which orchestrates all steps automatically:



[source]

----

/setup-consumer-repo cui-java-tools

----



This runs the following commands in sequence:



1. `/verify-org-integration` — Remove repo-level secrets that should be org-level, delete duplicate community health files

2. `/apply-repo-settings` — Apply features, merge options, security settings

3. `/update-github-actions` — Synchronize workflow files from caller templates, update `project.yml`

4. `/apply-branch-protection` — Configure branch protection ruleset with status checks and review requirements



Then creates a PR, waits for CI, merges, and runs post-merge verification (Scorecard + SonarCloud analysis).



See: link:.claude/commands/setup-consumer-repo.md[setup-consumer-repo Command]



== Manual Setup



If you prefer to run steps individually:



=== 1. Verify Organization Integration



[source,bash]

----

cd repo-settings

./verify-org-integration.py --repo {repo-name} --diff   # Preview

./verify-org-integration.py --repo {repo-name} --apply  # Apply

----



See: link:repo-settings/README.adoc[Repository Settings Documentation]



=== 2. Apply Repository Settings



[source,bash]

----

cd repo-settings

./setup-repo-settings.py --repo {repo-name} --diff    # Preview

./setup-repo-settings.py --repo {repo-name} --apply   # Apply

----



=== 3. Update Workflows



Replace inline workflows with reusable workflow callers:



[source,yaml]

----

# In your repo's .github/workflows/maven.yml

jobs:

  build:

    uses: cuioss/cuioss-organization/.github/workflows/reusable-maven-build.yml@9200de84ce6498401852fc244b7fb4d523278f15 # v0.6.4

    secrets:

      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

      OSS_SONATYPE_USERNAME: ${{ secrets.OSS_SONATYPE_USERNAME }}

      OSS_SONATYPE_PASSWORD: ${{ secrets.OSS_SONATYPE_PASSWORD }}

      GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}

      GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}

----



See: link:docs/Workflows.adoc[Workflows Documentation]



=== 4. Apply Branch Protection



[source,bash]

----

cd branch-protection

./setup-branch-protection.py --repo {repo-name} --diff    # Preview

./setup-branch-protection.py --repo {repo-name} --apply   # Apply

----



See: link:branch-protection/README.adoc[Branch Protection Documentation]



=== 5. Release Bot Setup



The `cuioss-release-bot` GitHub App enables release workflows to bypass branch protection.



See: link:docs/cuioss-release-bot.adoc[cuioss-release-bot Documentation]



=== 6. Releasing Workflow Updates



When you update the reusable workflows, create a new release:



[source,bash]

----

# Update version in .github/project.yml, then:

gh workflow run release.yml

gh run watch

git pull  # Get the SHA-updated examples

----



See: link:docs/Releasing.adoc[Releasing Documentation]



== Secrets Management



=== Organization-Level Secrets (Shared)



Set once at: `https://github.com/organizations/cuioss/settings/secrets/actions`



[cols="1,2"]

|===

|Secret |Purpose



|`RELEASE_APP_ID`

|cuioss-release-bot App ID



|`RELEASE_APP_PRIVATE_KEY`

|cuioss-release-bot private key



|`OSS_SONATYPE_USERNAME`

|Maven Central deployment



|`OSS_SONATYPE_PASSWORD`

|Maven Central deployment



|`GPG_PRIVATE_KEY`

|Artifact signing



|`GPG_PASSPHRASE`

|Artifact signing



|`SONAR_TOKEN`

|SonarCloud analysis

|===



See: link:docs/Secrets.adoc[Secrets Documentation] for details and migration guide.



== Repository Checklist



For each repository in the organization, run `/setup-consumer-repo {repo-name}` which covers:



* [ ] Verify no org-level secrets are duplicated at repo level

* [ ] Remove duplicate community health files inherited from `cuioss/.github`

* [ ] Apply standard repository settings (security, features, merge options)

* [ ] Replace workflows with reusable workflow callers from `docs/workflow-examples/`

* [ ] Ensure `.github/project.yml` exists with release metadata

* [ ] Apply branch protection ruleset (includes cuioss-release-bot bypass)

* [ ] Verify Scorecard and SonarCloud analysis after merge