🤖 Generated by the Daily AI Assistant
Problem
The devantler-tech org enforces real org-wide settings (as opposed to rulesets) that are not in the declarative deploy/ source of truth: web_commit_signoff_required (live: true), default_repository_permission (live: read), members_can_create_repositories (live: true), two_factor_requirement_enabled (live: true). These can drift via the GitHub UI with no audit trail through GitOps — the same hole #52 identified, but the ruleset half of that issue is now fully delivered (deploy/organization-rulesets/ + deploy/repository-rulesets/, Observe-first); this issue narrows to the remaining settings-only gap.
Why this is blocked today
provider-upjet-github's CRD set (package/crds/) has no general org-settings resource. The only org-scoped resource is enterprise.github.m.upbound.io_organizations (Organization), which creates a new org under a GitHub Enterprise account (requires enterpriseId, adminLogins, billingEmail) — it does not fit adopting settings on an existing non-Enterprise org. There is no github_organization_settings-equivalent (the upstream Terraform provider integrations/terraform-provider-github has one; it isn't wrapped by the Crossplane provider we consume).
Proposed direction
- Watch
crossplane-contrib/provider-upjet-github releases for a settings-shaped resource wrapping github_organization_settings; adopt Observe-first the moment one ships, same pattern as the rulesets.
- If it never ships, the fallback is a small custom mechanism (e.g. a scheduled read-only drift-check workflow comparing live
GET /orgs/devantler-tech against a small deploy/organization-settings.yaml doc, alerting on drift) rather than blocking forever on the provider — but prefer the Crossplane path first.
Rough size
S once the provider supports it (a single Observe-first CR, mirroring the ruleset pattern); otherwise this stays parked pending upstream.
Problem
The devantler-tech org enforces real org-wide settings (as opposed to rulesets) that are not in the declarative
deploy/source of truth:web_commit_signoff_required(live:true),default_repository_permission(live:read),members_can_create_repositories(live:true),two_factor_requirement_enabled(live:true). These can drift via the GitHub UI with no audit trail through GitOps — the same hole #52 identified, but the ruleset half of that issue is now fully delivered (deploy/organization-rulesets/+deploy/repository-rulesets/, Observe-first); this issue narrows to the remaining settings-only gap.Why this is blocked today
provider-upjet-github's CRD set (package/crds/) has no general org-settings resource. The only org-scoped resource isenterprise.github.m.upbound.io_organizations(Organization), which creates a new org under a GitHub Enterprise account (requiresenterpriseId,adminLogins,billingEmail) — it does not fit adopting settings on an existing non-Enterprise org. There is nogithub_organization_settings-equivalent (the upstream Terraform providerintegrations/terraform-provider-githubhas one; it isn't wrapped by the Crossplane provider we consume).Proposed direction
crossplane-contrib/provider-upjet-githubreleases for a settings-shaped resource wrappinggithub_organization_settings; adopt Observe-first the moment one ships, same pattern as the rulesets.GET /orgs/devantler-techagainst a smalldeploy/organization-settings.yamldoc, alerting on drift) rather than blocking forever on the provider — but prefer the Crossplane path first.Rough size
S once the provider supports it (a single Observe-first CR, mirroring the ruleset pattern); otherwise this stays parked pending upstream.