github · tylerohlsen · Jan 9, 2026 · Jan 9, 2026 · Jan 9, 2026 · Jan 9, 2026
diff --git a/helm/safe-settings/README.md b/helm/safe-settings/README.md
@@ -9,22 +9,15 @@ A Helm chart for Kubernetes
 | affinity | object | `{}` |  |
 | autoscaling.enabled | bool | `false` |  |
 | autoscaling.maxReplicas | int | `10` |  |
-| autoscaling.minReplicas | int | `2` |  |
+| autoscaling.minReplicas | int | `1` |  |
 | autoscaling.targetCPUUtilizationPercentage | int | `80` |  |
-| deploymentConfig.configvalidators[0].error | string | `"`Admin cannot be assigned to collaborators`\n"` |  |
-| deploymentConfig.configvalidators[0].plugin | string | `"collaborators"` |  |
-| deploymentConfig.configvalidators[0].script | string | `"console.log(`baseConfig ${JSON.stringify(baseconfig)}`)\nreturn baseconfig.permission != 'admin'\n"` |  |
-| deploymentConfig.overridevalidators[0].error | string | `"`Branch protection required_approving_review_count cannot be overidden to a lower value`\n"` |  |
-| deploymentConfig.overridevalidators[0].plugin | string | `"branches"` |  |
-| deploymentConfig.overridevalidators[0].script | string | `"console.log(`baseConfig ${JSON.stringify(baseconfig)}`)\nconsole.log(`overrideConfig ${JSON.stringify(overrideconfig)}`)\nif (baseconfig.protection.required_pull_request_reviews.required_approving_review_count && overrideconfig.protection.required_pull_request_reviews.required_approving_review_count ) {\n  return overrideconfig.protection.required_pull_request_reviews.required_approving_review_count >= baseconfig.protection.required_pull_request_reviews.required_approving_review_count\n}\nreturn true\n"` |  |
-| deploymentConfig.overridevalidators[1].error | string | `"Some error\n"` |  |
-| deploymentConfig.overridevalidators[1].plugin | string | `"labels"` |  |
-| deploymentConfig.overridevalidators[1].script | string | `"return true\n"` |  |
+| deploymentConfig.configvalidators | list | [] |  |
+| deploymentConfig.overridevalidators | list | [] |  |
 | deploymentConfig.restrictedRepos.exclude[0] | string | `"^admin$"` |  |
 | deploymentConfig.restrictedRepos.exclude[1] | string | `"^\\.github$"` |  |
 | deploymentConfig.restrictedRepos.exclude[2] | string | `"^safe-settings$"` |  |
 | deploymentConfig.restrictedRepos.exclude[3] | string | `".*-test"` |  |
-| deploymentConfig.restrictedRepos.include[0] | string | `"^test$"` |  |
+| deploymentConfig.restrictedRepos.include | list | [] |  |
 | env | list | `[]` |  |
 | envFrom | list | `[]` |  |
 | extraObjects | list | `[]` | Add dynamic manifests via values. Example: extraObjects: - kind: ConfigMap   apiVersion: v1   metadata:     name: extra-cm-{{ .Release.Name }}   data: |     extra.yml: "does-my-install-need-extra-info: true" |
@@ -44,15 +37,15 @@ A Helm chart for Kubernetes
 | nodeSelector | object | `{}` |  |
 | podAnnotations | object | `{}` |  |
 | podSecurityContext | object | `{}` |  |
-| replicaCount | int | `2` |  |
+| replicaCount | int | `1` |  |
 | resources | object | `{}` |  |
 | securityContext.allowPrivilegeEscalation | bool | `false` |  |
 | securityContext.capabilities.drop[0] | string | `"ALL"` |  |
 | securityContext.privileged | bool | `false` |  |
 | securityContext.readOnlyRootFilesystem | bool | `true` |  |
 | securityContext.runAsNonRoot | bool | `true` |  |
 | securityContext.runAsUser | int | `1000` |  |
-| service.port | int | `80` |  |
+| service.port | int | `3000` |  |
 | service.type | string | `"ClusterIP"` |  |
 | serviceAccount.annotations | object | `{}` |  |
 | serviceAccount.automountServiceAccountToken | bool | `false` |  |

diff --git a/helm/safe-settings/templates/deployment.yaml b/helm/safe-settings/templates/deployment.yaml
@@ -43,7 +43,7 @@ spec:
           {{- end }}
           ports:
             - name: http
-              containerPort: {{ .Values.service.port }}
+              containerPort: 3000
               protocol: TCP
           resources:
             {{- toYaml .Values.resources | nindent 12 }}

diff --git a/helm/safe-settings/values.yaml b/helm/safe-settings/values.yaml
@@ -2,7 +2,7 @@
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
 
-replicaCount: 2
+replicaCount: 1
 
 image:
   repository: ghcr.io/github/safe-settings
@@ -45,6 +45,26 @@ envFrom: []
 #     name: app-env
 
 env: []
+# - name: CRON
+#   value: '*/5 * * * *'
+# - name: APP_ID
+#   valueFrom:
+#     secretKeyRef:
+#       name: github_app_secret
+#       key: app_id
+#       optional: false
+# - name: PRIVATE_KEY
+#   valueFrom:
+#     secretKeyRef:
+#       name: github_app_secret
+#       key: private_key
+#       optional: false
+# - name: WEBHOOK_SECRET
+#   valueFrom:
+#     secretKeyRef:
+#       name: github_app_secret
+#       key: webhook_secret
+#       optional: false
 
 service:
   type: ClusterIP
@@ -83,7 +103,7 @@ resources:
 
 autoscaling:
   enabled: false
-  minReplicas: 2
+  minReplicas: 1
   maxReplicas: 10
   targetCPUUtilizationPercentage: 80
   # targetMemoryUtilizationPercentage: 80
@@ -104,30 +124,30 @@ deploymentConfig:
     #  If no file is specified, then the following repositories - 'admin', '.github', 'safe-settings' are exempted by default
     exclude: ["^admin$", '^\.github$', "^safe-settings$", ".*-test"]
     # Alternatively you can only include certain repos
-    include: ["^test$"]
-  configvalidators:
-    - plugin: collaborators
-      error: |
-        `Admin cannot be assigned to collaborators`
-      script: |
-        console.log(`baseConfig ${JSON.stringify(baseconfig)}`)
-        return baseconfig.permission != 'admin'
-  overridevalidators:
-    - plugin: branches
-      error: |
-        `Branch protection required_approving_review_count cannot be overidden to a lower value`
-      script: |
-        console.log(`baseConfig ${JSON.stringify(baseconfig)}`)
-        console.log(`overrideConfig ${JSON.stringify(overrideconfig)}`)
-        if (baseconfig.protection.required_pull_request_reviews.required_approving_review_count && overrideconfig.protection.required_pull_request_reviews.required_approving_review_count ) {
-          return overrideconfig.protection.required_pull_request_reviews.required_approving_review_count >= baseconfig.protection.required_pull_request_reviews.required_approving_review_count
-        }
-        return true
-    - plugin: labels
-      error: |
-        Some error
-      script: |
-        return true
+    include: [] # ["^test$"]
+  configvalidators: []
+    # - plugin: collaborators
+    #   error: |
+    #     `Admin cannot be assigned to collaborators`
+    #   script: |
+    #     console.log(`baseConfig ${JSON.stringify(baseconfig)}`)
+    #     return baseconfig.permission != 'admin'
+  overridevalidators: []
+    # - plugin: branches
+    #   error: |
+    #     `Branch protection required_approving_review_count cannot be overidden to a lower value`
+    #   script: |
+    #     console.log(`baseConfig ${JSON.stringify(baseconfig)}`)
+    #     console.log(`overrideConfig ${JSON.stringify(overrideconfig)}`)
+    #     if (baseconfig.protection.required_pull_request_reviews.required_approving_review_count && overrideconfig.protection.required_pull_request_reviews.required_approving_review_count ) {
+    #       return overrideconfig.protection.required_pull_request_reviews.required_approving_review_count >= baseconfig.protection.required_pull_request_reviews.required_approving_review_count
+    #     }
+    #     return true
+    # - plugin: labels
+    #   error: |
+    #     Some error
+    #   script: |
+    #     return true
 
 # -- Add dynamic manifests via values. Example:
 # extraObjects: