Yadhav/fix recent issues

.gitignore

@@ -128,7 +128,7 @@ npm-debug.log
 .DS_Store
 node_modules/
 private-key.pem
-.env
+*.env
 *.pem
 .vscode
 yarn.lock

app.yml

@@ -25,7 +25,6 @@ default_events:
   - repository_ruleset
   - team
 
-
 # The set of permissions needed by the GitHub App. The format of the object uses
 # the permission name for the key (for example, issues) and the access type for
 # the value (for example, write).
@@ -114,6 +113,14 @@ default_permissions:
     # https://developer.github.com/v3/apps/permissions/
     organization_administration: write
 
+    # Manage custom organization roles.
+    # https://docs.github.com/en/enterprise-cloud@latest/rest/authentication/permissions-required-for-github-apps?apiVersion=2026-03-10#organization-permissions-for-custom-organization-roles
+    organization_custom_org_roles: write
+
+    # Manage custom repository roles.
+    # https://docs.github.com/en/enterprise-cloud@latest/rest/authentication/permissions-required-for-github-apps?apiVersion=2026-03-10#organization-permissions-for-custom-repository-roles
+    organization_custom_roles: write
+
     # Manage Actions variables.
     # https://docs.github.com/en/rest/actions/variables?apiVersion=2022-11-28
     actions_variables: write

docs/README.md

@@ -10,3 +10,5 @@
 | Configure deployment environments | [Deployment Environments](github-settings/6.%20deployment-environments.md) |
 | Configure auto-link references | [AutoLinks](github-settings/7.%20autolinks.md) |
 | Configure pre-defined labels for issues and pull requests | [Labels](github-settings/8.%20labels.md) |
+
+For information on disabling plugins, see [Disabling plugins](../README.md#disabling-plugins-disable_plugins) in the root README.

docs/github-settings/4. teams.md

@@ -38,7 +38,7 @@ teams:
 </td></tr>
 <tr><td>
 <p>&emsp;<code>permission</code><span style="color:gray;">&emsp;<i>string</i>&emsp;</span></p>
-<p>The permission to grant the team on this repository. We accept the following permissions to be set: <code>pull</code>, <code>triage</code>, <code>push</code>, <code>maintain</code>, <code>admin</code> and you can also specify a custom repository role name, if the owning organization has defined any. If no permission is specified, the team's <code>permission</code> attribute will be used to determine what permission to grant the team on this repository.</p>
+<p>The permission to grant the team on this repository. We accept the following permissions to be set: <code>pull</code>, <code>triage</code>, <code>push</code>, <code>maintain</code>, <code>admin</code> and you can also specify a custom repository role name, if the owning organization has defined any.</p>
 <p>Default: <code>push</code></p>
 </td><td style="vertical-align:top">
 
@@ -48,5 +48,18 @@ teams:
     permission: maintain
 ```
 
+</td></tr>
+<tr><td>
+<p>&emsp;<code>external_group</code><span style="color:gray;">&emsp;<i>string</i>&emsp;</span></p>
+<p>Optional. The <strong>display name</strong> of an external IdP group (as listed under your organization's external groups) to link to the team. <code>safe-settings</code> looks up the group's id by display name via <a href="https://docs.github.com/en/enterprise-cloud@latest/rest/teams/external-groups?apiVersion=2022-11-28#list-external-groups-available-to-an-organization"><code>GET /orgs/{org}/external-groups</code></a> and links the team via <a href="https://docs.github.com/en/enterprise-cloud@latest/rest/teams/external-groups?apiVersion=2022-11-28#update-the-connection-between-an-external-group-and-a-team"><code>PATCH /orgs/{org}/teams/{team_slug}/external-groups</code></a>. The link is reconciled on every sync and is idempotent (it skips the PATCH when the team is already linked to the same group). The external-groups list is fetched at most once per org per sync, only when at least one team entry uses this property. If the named group does not exist for the org, an error is logged and the team-repo association still applies.</p>
+</td><td style="vertical-align:top">
+
+```yaml
+teams:
+  - name: expert-services-developers
+    permission: push
+    external_group: "Engineering - Expert Services"
+```
+
 </td></tr>
 </table>

docs/sample-settings/sample-deployment-settings.yml

@@ -38,3 +38,14 @@ overridevalidators:
       Some error
     script: |
       return true
+
+# disable_plugins (optional) — disable safe-settings plugins at the deployment layer.
+# Each entry is either a plugin name (shorthand for target: all) or { plugin, target }.
+# target is one of: self | children | all (default: all).
+# Declared here, target: all strips the plugin from every level below for every repo.
+# See docs/README.md ("Disabling plugins") for the full strip matrix and limitations.
+#
+# disable_plugins:
+#   - plugin: rulesets       # disables rulesets everywhere
+#     target: all
+#   - milestones             # shorthand → { plugin: milestones, target: all }

docs/sample-settings/settings.yml

@@ -397,3 +397,34 @@ rulesets:
           negate: false
           operator: regex
           pattern: ".*\/.*"
+
+# disable_plugins (optional) — disable safe-settings plugins at the org layer.
+# Declared here:
+#   - target: self     → strips from the org layer only (affects org-level runs:
+#                        rulesets, custom_repository_roles).
+#   - target: children → strips from suborg + repo layers (per-repo runs).
+#   - target: all      → strips from org + suborg + repo layers.
+# Lower levels can never undo a strip declared at a higher level (union-only cascade).
+# See docs/README.md ("Disabling plugins") for the full strip matrix.
+#
+# disable_plugins:
+#   - plugin: custom_repository_roles
+#     target: self
+#   - branches             # shorthand → { plugin: branches, target: all }
+
+# additive_plugins (optional) — run selected Diffable plugins in additive mode.
+# In additive mode a plugin will only add and update entries; it will never
+# call remove(). Items that exist on GitHub but are absent from the YAML are
+# preserved. This is useful when you want safe-settings to enforce a baseline
+# of settings while still allowing teams to manage their own extra labels,
+# teams, environments, etc.
+#
+# Supported plugins (must extend Diffable):
+#   labels, collaborators, teams, milestones, autolinks, environments,
+#   custom_properties, variables, rulesets, custom_repository_roles
+#
+# NOT supported (non-Diffable): repository, archive, branches, validator
+#
+# additive_plugins:
+#   - labels          # never delete labels not in YAML
+#   - collaborators   # never remove collaborators not in YAML

docs/sample-settings/suborg.yml

@@ -14,3 +14,15 @@ suborgproperties:
 - EDP: true
 
 # Every other property is the same as the org level settings and can be overridden here
+
+# disable_plugins (optional) — disable safe-settings plugins for repos matched
+# by this suborg. Declared here, target values mean:
+#   - self     → strip from the suborg layer only.
+#   - children → strip from the repo layer for matched repos.
+#   - all      → strip from suborg + repo layers for matched repos.
+# Note: a suborg-level disable cannot strip config defined at the org layer.
+# See docs/README.md ("Disabling plugins") for details.
+#
+# disable_plugins:
+#   - plugin: labels
+#     target: all