forge-enforce
Enforce repository policies across forge providers (GitHub, etc.). Runs on a schedule, discovers repositories matching allow/deny filters, and applies configured policies.
Usage
forge-enforce serve --host 127.0.0.1:3000
Requires FE_CONFIG_DIR (or --config-dir) pointing to a directory of TOML config files, one per forge.
Configuration
Each file in the config directory defines a forge connection. Example (github.com.toml):
# Schedule: pick one
# schedule.cron = "0 * * * * *"
# schedule.interval = "60" # minutes (default)
schedule.once = true
# Repository filters (regex patterns)
allow = ["^canopy-.*$"]
deny = ["^infrastructure-.*$", "^canopy-data-gateway$"]
# Forge connection
[github]
credentials.token_env = "GITHUB_ACCESS_TOKEN"
organisation = "understory-io"
# Policies to enforce
[policies]
squash_merge_only.enabled = true
Fields
| Field | Description |
|---|---|
schedule |
cron, interval (minutes), or once |
allow |
Regex list of repository names to include (default: .*) |
deny |
Regex list of repository names to exclude (default: none) |
[github] |
GitHub forge config: credentials and organisation |
credentials |
token = "..." or token_env = "ENV_VAR" |
[policies] |
Policy rules to enforce on matched repositories |
squash_merge_only.enabled |
Require squash merges only |