Add repository fork, GitHub Pages, and push ruleset support (#16)

* Add repository fork, GitHub Pages, and push ruleset support

- Add fork configuration to enable creating forked repositories
- Add GitHub Pages configuration with build type, CNAME, and source options
- Enable required_code_scanning ruleset rules (drift issue resolved)
- Add push ruleset target with file restrictions and size limits
- Add new ruleset rule types: required_linear_history, required_signatures, update
- Expand bypass modes and actor types for rulesets
- Add comprehensive validations for all new ruleset features
- Update GitHub provider version to 6.9.0

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Haiku 4.5 <[email protected]>

* Remove unsupported security_and_analysis options

Remove secret_scanning_ai_detection and secret_scanning_non_provider_patterns
as these block types are not supported by the current GitHub Terraform provider.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>

* Update examples/complete with all new features

- Add fork variable for repository forking support
- Add pages variable for GitHub Pages configuration
- Update security_and_analysis with code_security option
- Update rulesets variable with all new options:
  - Push ruleset target with file restrictions
  - required_linear_history, required_signatures, update rules
  - required_code_scanning support
  - New bypass modes (exempt) and actor types (DeployKey)
- Add comprehensive tfvars examples:
  - GitHub Pages configuration
  - Tag protection ruleset
  - Push restrictions ruleset with file/size limits
  - Code scanning requirements

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>

* Update examples/complete provider version to >= 6.9.0

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>

* Require provider >= 6.9.0 and restore all security features

- Update provider version requirement from >= 6.6.0 to >= 6.9.0
- Re-add code_security to security_and_analysis block
- Re-add secret_scanning_ai_detection to security_and_analysis block
- Re-add secret_scanning_non_provider_patterns to security_and_analysis block
- Update examples/complete with all security options
- Update README documentation

The fork, code_security, secret_scanning_ai_detection, and
secret_scanning_non_provider_patterns features require provider
version 6.9.0 or later.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>

* Fix push ruleset conditions - ref_name not supported for push target

Push rulesets in GitHub do not support ref_name conditions like branch
and tag rulesets do. This change makes the conditions block optional
and adds validations to ensure proper usage per ruleset target type.

* Fix file_extension_restriction format - extensions must start with *.

GitHub API requires file extensions to use the *. prefix format
(e.g., *.exe) instead of just the extension (e.g., .exe).

* Comment out push ruleset example - only supported on private repos

Push rulesets are not supported on public repositories. Since CI tests
use public repos, the push_restrictions example is now commented out
with documentation. Updated test assertions to expect 2 rulesets
(branch + tag) instead of 1.

* Fix environment count test - GitHub Pages auto-creates environment

When GitHub Pages is enabled, GitHub automatically creates a
"github-pages" environment. Updated test to expect 4 environments
(staging, development, production, github-pages).

---------

Co-authored-by: Claude Haiku 4.5 <[email protected]>

Author: johncblandii

README.md

@@ -28,9 +28,21 @@ ignore_vulnerability_alerts_during_read = true
 allow_update_branch                     = true
 
 security_and_analysis = {
-  advanced_security               = false
-  secret_scanning                 = true
-  secret_scanning_push_protection = true
+  advanced_security                     = false
+  code_security                         = true
+  secret_scanning                       = true
+  secret_scanning_push_protection       = true
+  secret_scanning_ai_detection          = true
+  secret_scanning_non_provider_patterns = true
+}
+
+# GitHub Pages configuration
+pages = {
+  build_type = "workflow"
+  source = {
+    branch = "main"
+    path   = "/docs"
+  }
 }
 
 archive_on_destroy = false
@@ -112,6 +124,9 @@ environments = {
   }
 }
 
+# Note: Push rulesets (target = "push") are only supported on private repositories.
+# The CI tests use public repositories, so push rulesets cannot be tested there.
+# See the commented-out push_restrictions example below for push ruleset configuration.
 rulesets = {
   default = {
     name        = "Default protection"
@@ -172,9 +187,13 @@ rulesets = {
         name     = "Test committer email"
         negate   = false
       }
-      creation         = true
-      deletion         = false
-      non_fast_forward = true
+      creation                      = true
+      deletion                      = false
+      non_fast_forward              = true
+      required_linear_history       = true
+      required_signatures           = false
+      update                        = true
+      update_allows_fetch_and_merge = true
       pull_request = {
         dismiss_stale_reviews_on_push     = true
         require_code_owner_review         = true
@@ -197,6 +216,77 @@ rulesets = {
         strict_required_status_checks_policy = true
         do_not_enforce_on_create             = true
       }
+      required_code_scanning = {
+        required_code_scanning_tool = [
+          {
+            alerts_threshold          = "errors"
+            security_alerts_threshold = "high_or_higher"
+            tool                      = "CodeQL"
+          }
+        ]
+      }
+    }
+  }
+  tag_protection = {
+    name        = "Tag protection"
+    enforcement = "active"
+    target      = "tag"
+    conditions = {
+      ref_name = {
+        include = ["~ALL"]
+        exclude = []
+      }
+    }
+    bypass_actors = [
+      {
+        bypass_mode = "always"
+        actor_type  = "OrganizationAdmin"
+      }
+    ]
+    rules = {
+      tag_name_pattern = {
+        operator = "starts_with"
+        pattern  = "v"
+        name     = "Semantic version tags"
+        negate   = false
+      }
+      creation = true
+      deletion = true
     }
   }
+  # Push rulesets are only available for private repositories.
+  # Uncomment the following for private repos:
+  # push_restrictions = {
+  #   name        = "Push restrictions"
+  #   enforcement = "evaluate"
+  #   target      = "push"
+  #   # Note: conditions with ref_name is not supported for push rulesets
+  #   bypass_actors = [
+  #     {
+  #       bypass_mode = "always"
+  #       actor_type  = "OrganizationAdmin"
+  #     }
+  #   ]
+  #   rules = {
+  #     file_path_restriction = {
+  #       restricted_file_paths = [
+  #         ".github/workflows/*",
+  #         "terraform/*"
+  #       ]
+  #     }
+  #     max_file_size = {
+  #       max_file_size = 50
+  #     }
+  #     max_file_path_length = {
+  #       max_file_path_length = 256
+  #     }
+  #     file_extension_restriction = {
+  #       restricted_file_extensions = [
+  #         "*.exe",
+  #         "*.dll",
+  #         "*.so"
+  #       ]
+  #     }
+  #   }
+  # }
 }

examples/complete/fixtures.us-east-2.tfvars

@@ -8,6 +8,7 @@ module "example" {
   visibility  = var.visibility
 
   template = var.template
+  fork     = var.fork
 
   homepage_url = var.homepage_url
   topics       = var.topics
@@ -50,6 +51,7 @@ module "example" {
   default_branch              = var.default_branch
   enable_vulnerability_alerts = var.enable_vulnerability_alerts
   security_and_analysis       = var.security_and_analysis
+  pages                       = var.pages
 
   custom_properties = var.custom_properties
   environments      = var.environments

examples/complete/main.tf

@@ -13,6 +13,15 @@ variable "template" {
   default = null
 }
 
+variable "fork" {
+  description = "Configuration for forking an existing repository"
+  type = object({
+    source_owner = string
+    source_repo  = string
+  })
+  default = null
+}
+
 variable "description" {
   description = "Description of the repository"
   type        = string
@@ -209,9 +218,25 @@ variable "allow_update_branch" {
 variable "security_and_analysis" {
   description = "Security and analysis settings"
   type = object({
-    advanced_security               = bool
-    secret_scanning                 = bool
-    secret_scanning_push_protection = bool
+    advanced_security                     = optional(bool, false)
+    code_security                         = optional(bool, false)
+    secret_scanning                       = optional(bool, false)
+    secret_scanning_push_protection       = optional(bool, false)
+    secret_scanning_ai_detection          = optional(bool, false)
+    secret_scanning_non_provider_patterns = optional(bool, false)
+  })
+  default = null
+}
+
+variable "pages" {
+  description = "GitHub Pages configuration for the repository"
+  type = object({
+    source = optional(object({
+      branch = string
+      path   = optional(string, "/")
+    }), null)
+    build_type = optional(string, "workflow")
+    cname      = optional(string, null)
   })
   default = null
 }
@@ -400,49 +425,54 @@ variable "rulesets" {
   description = "A map of rulesets to configure for the repository"
   type = map(object({
     name        = string
-    enforcement = string // disabled, active
-    target      = string // branch, tag
+    enforcement = string // disabled, active, evaluate
+    target      = string // branch, tag, push
     bypass_actors = optional(list(object({
-      // always, pull_request
+      // always, pull_request, exempt
       bypass_mode = string
       actor_id    = optional(string, null)
-      // RepositoryRole, Team, Integration, OrganizationAdmin
+      // RepositoryRole, Team, Integration, OrganizationAdmin, DeployKey
       actor_type = string
     })), [])
-    conditions = object({
+    // conditions is required for branch and tag rulesets, but not supported for push rulesets
+    conditions = optional(object({
       ref_name = object({
         include = optional(list(string), []) // ~DEFAULT_BRANCH to include the default branch or ~ALL
         exclude = optional(list(string), []) // ~DEFAULT_BRANCH to exclude the default branch or ~ALL
       })
-    })
+    }), null)
     rules = object({
       branch_name_pattern = optional(object({
-        operator = string // starts_with, ends_with, contains, equals
+        operator = string // starts_with, ends_with, contains, regex
         pattern  = string
         name     = optional(string, null)
         negate   = optional(bool, false)
       }), null),
       commit_author_email_pattern = optional(object({
-        operator = string // starts_with, ends_with, contains, equals
+        operator = string // starts_with, ends_with, contains, regex
         pattern  = string
         name     = optional(string, null)
         negate   = optional(bool, false)
       }), null),
-      creation         = optional(bool, false),
-      deletion         = optional(bool, false),
-      non_fast_forward = optional(bool, false),
+      creation                      = optional(bool, false),
+      deletion                      = optional(bool, false),
+      non_fast_forward              = optional(bool, false),
+      required_linear_history       = optional(bool, false),
+      required_signatures           = optional(bool, false),
+      update                        = optional(bool, false),
+      update_allows_fetch_and_merge = optional(bool, false),
       required_pull_request_reviews = optional(object({
         dismiss_stale_reviews           = bool
         required_approving_review_count = number
       }), null),
       commit_message_pattern = optional(object({
-        operator = string // starts_with, ends_with, contains, equals
+        operator = string // starts_with, ends_with, contains, regex
         pattern  = string
         name     = optional(string, null)
         negate   = optional(bool, false)
       }), null),
       committer_email_pattern = optional(object({
-        operator = string // starts_with, ends_with, contains, equals
+        operator = string // starts_with, ends_with, contains, regex
         pattern  = string
         name     = optional(string, null)
         negate   = optional(bool, false)
@@ -475,19 +505,31 @@ variable "rulesets" {
         do_not_enforce_on_create             = optional(bool, false)
       }), null),
       tag_name_pattern = optional(object({
-        operator = string // starts_with, ends_with, contains, equals
+        operator = string // starts_with, ends_with, contains, regex
         pattern  = string
         name     = optional(string, null)
         negate   = optional(bool, false)
       }), null),
-      // Unsupported due to drift. https://github.com/integrations/terraform-provider-github/pull/2701
-      # required_code_scanning = optional(object({
-      #   required_code_scanning_tool = list(object({
-      #     alerts_threshold          = string // none, errors, errors_and_warnings, all
-      #     security_alerts_threshold = string // none, critical, high_or_higher, medium_or_higher, all
-      #     tool                      = string
-      #   }))
-      # }), null),
+      required_code_scanning = optional(object({
+        required_code_scanning_tool = list(object({
+          alerts_threshold          = string // none, errors, errors_and_warnings, all
+          security_alerts_threshold = string // none, critical, high_or_higher, medium_or_higher, all
+          tool                      = string
+        }))
+      }), null),
+      // Push ruleset rules (only valid when target = "push")
+      file_path_restriction = optional(object({
+        restricted_file_paths = list(string)
+      }), null),
+      max_file_size = optional(object({
+        max_file_size = number // 1-100 MB
+      }), null),
+      max_file_path_length = optional(object({
+        max_file_path_length = number
+      }), null),
+      file_extension_restriction = optional(object({
+        restricted_file_extensions = list(string)
+      }), null),
     }),
   }))
   default = {}

examples/complete/variables.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     github = {
       source  = "integrations/github"
-      version = ">= 6.6.0"
+      version = ">= 6.9.0"
     }
   }
 }