Eigenoid (Settings Bot)

Declarative GitHub org configuration via safe-settings. Manages repo defaults, rulesets, labels, and teams.

Technical details

Field	Value
Type	B (with code -- container on Cloud Run)
App ID	3424955
Slug	eigenoid-settings-bot
Installation	Entire org (repository_selection: all)
Admin repo	eigenoid/platform-settings
Runtime	Cloud Run (eigenoid-safe-settings in europe-west1, project eigenoid-prd)
Image	ghcr.io/github/safe-settings v2.1.20-rc.3, mirrored to Artifact Registry
IaC	eigenoid/iac-platform (Terraform, ADR-0013)
Estimated cost	~$5--10/month (min-instances=1)

Permissions (Repository)

Permission	Level	Reason
Administration	Read & Write	Apply repo settings (private, wiki, merge strategy, etc.)
Checks	Read & Write	Create check-runs with sync results
Contents	Read & Write	Read config YAML from the admin repo
Environments	Read & Write	Manage environments declaratively
Issues	Read & Write	Manage labels
Members	Read & Write	Manage team-to-repo assignments
Pull requests	Read & Write	Dry-run checks on PRs to the admin repo
Statuses	Read & Write	Commit status updates
Actions variables	Read & Write	Manage Actions variables

Permissions (Organization)

Permission	Level	Reason
Organization Administration	Read & Write	Create/modify org-level rulesets
Organization Events	Read	Read org events

Usage as an auth token in workflows

Beyond running safe-settings, the bot is used as a token source for the governance workflows in the admin repo (repo creation, archival, and deletion). This ensures that PRs and commits from those workflows are authored by eigenoid-settings-bot[bot].

How it works

Workflows use actions/create-github-app-token to generate an installation token:

- uses: actions/create-github-app-token@vX.Y.Z # SHA-pinned
  id: bot-token
  with:
    client-id: ${{ vars.SETTINGS_BOT_CLIENT_ID }}
    private-key: ${{ secrets.SETTINGS_BOT_PRIVATE_KEY }}

yaml

client-id, not app-id

Use client-id (not app-id). The Client ID is a public value stored as an Actions variable, not a secret.

Credentials stored in platform-settings

Name	Type	Value
SETTINGS_BOT_CLIENT_ID	Variable	Iv23liClNzXyH4NbQRO9
SETTINGS_BOT_PRIVATE_KEY	Secret	Private key PEM for the bot

Workflows that use it

Workflow	Purpose
approve-repo.yml	Generates config YAML and pushes to main when a repo is approved
archive-repo.yml	Archives the repo and moves its config (Phase 1 soft-delete)
delete-archived-repos.yml	CRON: deletes repos after 30 days (Phase 2)

Webhook events (9)

Event	Purpose
push	Primary trigger: sync config when the admin repo is pushed
repository	Detect repo changes (name, visibility)
repository_ruleset	Drift prevention: revert manual ruleset changes
branch_protection_rule	Drift prevention: revert branch protection changes
pull_request	Dry-run on PRs to the admin repo
check_run	Check run processing
check_suite	Check suite processing
member	Detect membership changes
team	Detect team changes

Private key rotation

1. Go to github.com/organizations/eigenoid/settings/apps/eigenoid-settings-bot and navigate to Private keys.
2. Click Generate a private key and download the new .pem file.
3. Update the secret in GCP Secret Manager:

   gcloud secrets versions add safe-settings-private-key \
     --data-file=<path-to-new-pem> \
     --project=eigenoid-prd

   bash
4. Update the Cloud Run service to use the new version:

   gcloud run services update eigenoid-safe-settings \
     --region europe-west1 \
     --project eigenoid-prd \
     --update-secrets "PRIVATE_KEY=safe-settings-private-key:latest"

   bash
5. Delete the old key on the app page under Private keys.
6. Verify: push a change to the admin repo and confirm the sync works.

warning

The private key must be raw PEM (starts with -----BEGIN RSA PRIVATE KEY-----). Do not base64-encode it.

For the full secret rotation procedure, see the safe-settings operations runbook.

Human owner

@shoootyou is responsible for this App. Contact them for permission changes, installations, or incidents.