From 9ffe2e9c7cc66ec60b1707a2823fa5403f6f2dfc Mon Sep 17 00:00:00 2001
From: George Adams <georgeadams1995@gmail.com>
Date: Tue, 21 Apr 2026 13:42:47 +0100
Subject: [PATCH] feat(org-settings): add deploy_keys_enabled_for_repositories
 support

Adds organization-level control over whether deploy keys can be added to
repositories. Maps to the 'deploy_keys_enabled_for_repositories' field on
the GitHub organization update endpoint.
---
 examples/template/otterdog-defaults.libsonnet     | 4 ++++
 otterdog/models/organization_settings.py          | 1 +
 otterdog/resources/schemas/settings.json          | 4 ++++
 tests/models/resources/github-org-settings.json   | 1 +
 tests/models/resources/otterdog-org-settings.json | 1 +
 tests/models/resources/otterdogtest.json          | 1 +
 tests/models/test_org_settings.py                 | 4 +++-
 7 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/examples/template/otterdog-defaults.libsonnet b/examples/template/otterdog-defaults.libsonnet
index 486353c9..2b81583a 100644
--- a/examples/template/otterdog-defaults.libsonnet
+++ b/examples/template/otterdog-defaults.libsonnet
@@ -319,6 +319,10 @@ local newOrg(name, id=name) = {
     # Repository forking
     members_can_fork_private_repositories: false,
 
+    # Controls whether members with admin permissions on repositories can add deploy keys.
+    # Disabling this prevents new deploy keys from being added across all repositories in the organization.
+    deploy_keys_enabled_for_repositories: true,
+
     # Repository defaults: Commit signoff
     web_commit_signoff_required: true,
 
diff --git a/otterdog/models/organization_settings.py b/otterdog/models/organization_settings.py
index 0a76ba1d..4793861a 100644
--- a/otterdog/models/organization_settings.py
+++ b/otterdog/models/organization_settings.py
@@ -71,6 +71,7 @@ class OrganizationSettings(ModelObject):
     members_can_create_private_repositories: bool
     members_can_create_public_repositories: bool
     members_can_fork_private_repositories: bool
+    deploy_keys_enabled_for_repositories: bool
     members_can_create_public_pages: bool
     members_can_create_private_pages: bool
     members_can_change_repo_visibility: bool
diff --git a/otterdog/resources/schemas/settings.json b/otterdog/resources/schemas/settings.json
index 69dfddc1..8ee02227 100644
--- a/otterdog/resources/schemas/settings.json
+++ b/otterdog/resources/schemas/settings.json
@@ -59,6 +59,10 @@
       "provider": "restapi",
       "type": "boolean"
     },
+    "deploy_keys_enabled_for_repositories": {
+      "provider": "restapi",
+      "type": "boolean"
+    },
     "web_commit_signoff_required": {
       "provider": "restapi",
       "type": "boolean"
diff --git a/tests/models/resources/github-org-settings.json b/tests/models/resources/github-org-settings.json
index ae6aa794..1a92f366 100644
--- a/tests/models/resources/github-org-settings.json
+++ b/tests/models/resources/github-org-settings.json
@@ -17,6 +17,7 @@
   "members_can_delete_issues": false,
   "members_can_delete_repositories": true,
   "members_can_fork_private_repositories": true,
+  "deploy_keys_enabled_for_repositories": true,
   "name": null,
   "members_can_change_project_visibility": false,
   "organization_projects_enabled": true,
diff --git a/tests/models/resources/otterdog-org-settings.json b/tests/models/resources/otterdog-org-settings.json
index a3cf5263..4c8dfb82 100644
--- a/tests/models/resources/otterdog-org-settings.json
+++ b/tests/models/resources/otterdog-org-settings.json
@@ -18,6 +18,7 @@
   "members_can_delete_issues": false,
   "members_can_delete_repositories": true,
   "members_can_fork_private_repositories": true,
+  "deploy_keys_enabled_for_repositories": true,
   "name": null,
   "members_can_change_project_visibility": false,
   "organization_projects_enabled": true,
diff --git a/tests/models/resources/otterdogtest.json b/tests/models/resources/otterdogtest.json
index 5c8a1a10..c5802707 100644
--- a/tests/models/resources/otterdogtest.json
+++ b/tests/models/resources/otterdogtest.json
@@ -293,6 +293,7 @@
       "members_can_delete_issues": false,
       "members_can_delete_repositories": true,
       "members_can_fork_private_repositories": true,
+      "deploy_keys_enabled_for_repositories": true,
       "name": null,
       "organization_members_can_change_project_visibility": false,
       "organization_organization_projects_enabled": true,
diff --git a/tests/models/test_org_settings.py b/tests/models/test_org_settings.py
index 2d0d9b09..5151287b 100644
--- a/tests/models/test_org_settings.py
+++ b/tests/models/test_org_settings.py
@@ -53,6 +53,7 @@ def test_load_from_model(self):
         assert settings.members_can_create_private_repositories is False
         assert settings.members_can_create_public_repositories is True
         assert settings.members_can_fork_private_repositories is True
+        assert settings.deploy_keys_enabled_for_repositories is True
         assert settings.members_can_create_public_pages is True
         assert settings.members_can_create_private_pages is False
         assert settings.members_can_change_repo_visibility is False
@@ -83,6 +84,7 @@ def test_load_from_provider(self):
         assert settings.members_can_create_private_repositories is False
         assert settings.members_can_create_public_repositories is True
         assert settings.members_can_fork_private_repositories is True
+        assert settings.deploy_keys_enabled_for_repositories is True
         assert settings.members_can_create_public_pages is True
         assert settings.members_can_create_private_pages is False
         assert settings.members_can_change_repo_visibility is False
@@ -101,7 +103,7 @@ async def test_to_provider(self):
 
         provider_data = await settings.to_provider_data(self.org_id, self.provider)
 
-        assert len(provider_data) == 24
+        assert len(provider_data) == 25
         assert provider_data["billing_email"] == settings.billing_email
 
     async def test_changes_to_provider(self):