.github-tofu

Declarative GitHub repo configuration for the dryvist and JacobPEvans nix-* family, plus the dryvist org-level rulesets. OpenTofu + the integrations/github provider.

What this is

A single source of truth for:

• Per-repo settings — description, topics, merge methods, signoff, auto-merge, branch-delete-on-merge, security_and_analysis
• Per-repo all rulesets — signed commits on every branch, for JPE repos (JPE is a user; no org-level rulesets available). Skipped for dryvist repos because the org-level all ruleset already covers them.
• dryvist org-level rulesets — main (signed, PR, linear history) and all (signed everywhere). Applies to every dryvist repo, current and future.

What is out of scope:

• Per-repo main rulesets — each repo's required status checks, branch patterns, and copilot settings vary too much (nix-darwin covers develop, nix-home requires CodeQL, nix-devenv has no required checks). Each repo owns its own main ruleset directly in GitHub settings.

What this is not:

• A label sync tool — labels live in dryvist/.github/.github/labels.yml and propagate via dryvist/.github/.github/workflows/label-sync.yml.
• A repo bootstrap (file scaffolding) tool — that belongs in a template repo (dryvist/nix-template, future).
• A secrets sync tool — that's secrets-sync.

Adding or modifying a repo

1. Add or edit the entry in data/repos.yaml. Fields: owner, description, topics, optional manage_all_ruleset.
2. direnv allow (one time per worktree)
3. tofu plan — review the drift
4. tofu apply

For a brand-new repo, create it first (manually or gh repo create dryvist/<name> --public --license=mit), then add to repos.yaml and apply.

Auth

Two PATs required. Both live in the macOS elevate-access custom keychain under account ai-cli-coder:

• GH_PAT_ORG_ADMIN — dryvist scope, includes organization_administration: write for org rulesets
• GH_PAT_ADMIN — JacobPEvans scope, includes administration: write for repo settings + rulesets

The single broadest PAT (GH_PAT_ORG_ADMIN once permissioned for both sides) can drive everything. Set GITHUB_TOKEN to its value:

export GITHUB_TOKEN="$(security find-generic-password -a ai-cli-coder -s GH_PAT_ORG_ADMIN -w)"

(See nix-home for the gh_pat / with_gh_pat helpers that wrap this.)

AWS creds for the S3 backend: aws-vault exec <profile> -- tofu apply.

Initial bootstrap

# 1. Copy and fill in the backend config (uses AWS account ID; not committed)
cp examples/backend-state.hcl.example backend-state.hcl
# edit backend-state.hcl with your real bucket name

# 2. Initialize
tofu init -backend-config=backend-state.hcl

# 3. Import existing repos so the first apply is a no-op for established ones
#    (see scripts/import.sh — generated from repos.yaml; tracked separately)

# 4. Apply
tofu plan
tofu apply

Layout

.
├── main.tf, backend.tf, variables.tf, locals.tf, outputs.tf
├── repos.tf                # for_each over data/repos.yaml -> module.nix_repo
├── org-rulesets.tf         # dryvist org-level rulesets
├── data/
│   └── repos.yaml          # Repo inventory (the source of truth)
├── examples/
│   └── backend-state.hcl.example
├── modules/nix-repo/       # Reusable per-repo module
│   ├── main.tf             # github_repository
│   ├── ruleset.tf          # github_repository_ruleset (JPE-only)
│   └── variables.tf, versions.tf, outputs.tf
└── scripts/
    └── import.sh           # One-shot import of existing state

Drift detection

tofu plan shows drift. To run from CI on a schedule, set up a GitHub Actions workflow with OIDC for AWS credentials and the keychain-injected GitHub PAT (not currently wired).

Related

• dryvist/.github — org default community files + label sync
• JacobPEvans/.github — legacy JPE org defaults (will deprecate as repos migrate to dryvist)