There are mainly 3 options that I've found. I haven't tried either of them myself yet though.

1. https://github.com/github/safe-settings

   an app to manage policy-as-code and apply repository settings across an organization.

2. Custom script with GH CLI similar to https://github.com/adamchainz/scripts/blob/main/myrepos/0000-repo-settings.sh

3. Terraform https://registry.terraform.io/providers/integrations/github/latest/docs

P.S. .github/ (even euphemeral) approach doesn't seem adequate as it would allow anybody having commit access to update repo settings, which effectively hijacks GH permissions model.