This repo contains a Python script that forks a (possibly large) number of GitHub repositories into a dedicated GitHub organization. For these forks, the script sets up separate (orphaned) configuration branch and a synchronization workflow that runs daily and ensures that your fork is kept up-to-date with upstream, while adding the following files (see the templates folder):
- Renovate Bot configuration file (
renovate.json5) (existingrenovate.json*files of the upstream repository are deleted) - Synchronization workflow (so that the sync workflow can restore itself to the default branch after resetting the fork's default branch to the upstream's default branch)
- Zero or more additional (optional) workflows, e.g.
trivy-dependencies-submission.yml
- If you are on Windows, run
git config --system core.longpaths trueonce to avoid path length issues - Create a (free) GitHub organization, and store its name in
TARGET_ORGin theonboard_repos.pyscript - In the settings page of your GitHub organization
- in the Secrets and variables -> Actions section, create a new organization secret named
GH_PATand set it to the value of a (classic) PAT that has therepoandworkflowscopes (we do this so that the sync workflow can push changes to the fork) - in the Code security -> Configurations section, create a new configuration which enables the dependency graph and dependabot (alerts). In the Policy section, set Use as default for newly created repositories to any value other than None (we do this so that the forks have the dependency graph enabled right after creating them, which would otherwise have to be done manually)
- in the Secrets and variables -> Actions section, create a new organization secret named
- Configure the repositories you want to fork in the
REPOS_TO_FORKlist in theonboard_repos.pyscript - Make sure that the GitHub CLI is installed and authenticated
- Run the
onboard_repos.pyscript with a Python 3.10+ interpreter - Open https://github.com/apps/renovate and install the Renovate bot to the organization you created in step 1. Make sure that you explicitly specify the list of all the repos in your organization. Granting Renovate access to all repositories won't work.
- To update / push some of the files in the
templatesfolder that you changed locally after you ran theonboard_repos.pyscript, run thechange_files_in_repos.pyscript - To determine which of the repositories in the
REPOS_TO_FORKlist have the Renovate bot or Dependabot installed, run thecheck_renovate_or_dependabot.pyscript - To determine the current state of Dependabot alerts vs. Renovate PRs, run the
compare_vulnerabilities.pyscript