terraform-provider-github/examples/enterprise_rulesets/branch_rulesets.tf at f23df92f97bb23e3ef76de5c2af17d46959b2631 · integrations/terraform-provider-github · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
# Example: Branch target ruleset with comprehensive branch protection rules
# This ruleset applies to branches across the enterprise

resource "github_enterprise_ruleset" "branch_protection" {
  enterprise_slug = "your-enterprise"
  name            = "branch-protection-ruleset"
  target          = "branch"
  enforcement     = "active"

  # Optional: Allow certain users/teams to bypass the ruleset
  bypass_actors {
    actor_id    = 1
    actor_type  = "OrganizationAdmin"
    bypass_mode = "always"
  }

  bypass_actors {
    actor_type  = "DeployKey"
    bypass_mode = "always"
  }

  # Conditions define which organizations, repositories, and refs this ruleset applies to
  conditions {
    # Target all organizations in the enterprise
    organization_name {
      include = ["~ALL"]
      exclude = []
    }

    # Target all repositories
    repository_name {
      include = ["~ALL"]
      exclude = ["test-*"] # Exclude test repositories
    }

    # Target all branches (required for branch target)
    ref_name {
      include = ["~DEFAULT_BRANCH", "main", "master", "release/*"]
      exclude = ["experimental/*"]
    }
  }

  # Rules that apply to matching branches
  rules {
    # Prevent branch creation without bypass permission
    creation = true

    # Prevent branch updates without bypass permission
    update = false

    # Prevent branch deletion without bypass permission
    deletion = true

    # Require linear history (no merge commits)
    required_linear_history = true

    # Require signed commits
    required_signatures = true

    # Prevent force pushes
    non_fast_forward = true

    # Pull request requirements
    pull_request {
      dismiss_stale_reviews_on_push     = true
      require_code_owner_review         = true
      require_last_push_approval        = true
      required_approving_review_count   = 2
      required_review_thread_resolution = true
      allowed_merge_methods             = ["squash", "merge"]
    }

    # Status check requirements
    required_status_checks {
      strict_required_status_checks_policy = true
      do_not_enforce_on_create             = false

      required_check {
        context        = "ci/build"
        integration_id = 0
      }

      required_check {
        context        = "ci/test"
        integration_id = 0
      }
    }

    # Commit message pattern requirements
    commit_message_pattern {
      name     = "Conventional Commits"
      operator = "regex"
      pattern  = "^(feat|fix|docs|style|refactor|test|chore)(\\(.+\\))?: .{1,50}"
      negate   = false
    }

    # Commit author email pattern
    commit_author_email_pattern {
      name     = "Corporate Email Only"
      operator = "regex"
      pattern  = "@your-company\\.com$"
      negate   = false
    }

    # Committer email pattern
    committer_email_pattern {
      name     = "Corporate Email Only"
      operator = "regex"
      pattern  = "@your-company\\.com$"
      negate   = false
    }

    # Branch name pattern (only for branch target)
    branch_name_pattern {
      name     = "Valid Branch Names"
      operator = "regex"
      pattern  = "^(main|master|develop|feature/|bugfix/|hotfix/|release/)"
      negate   = false
    }

    # Code scanning requirements
    required_code_scanning {
      required_code_scanning_tool {
        tool                       = "CodeQL"
        alerts_threshold           = "errors"
        security_alerts_threshold  = "high_or_higher"
      }
    }

    # Copilot code review (if enabled)
    copilot_code_review {
      review_on_push           = true
      review_draft_pull_requests = false
    }
  }
}

resource "github_enterprise_ruleset" "branch_by_property" {
  enterprise_slug = "your-enterprise"
  name            = "production-repos-branch-protection"
  target          = "branch"
  enforcement     = "active"

  conditions {
    organization_name {
      include = ["~ALL"]
      exclude = []
    }

    # Target repositories based on custom properties
    repository_property {
      include {
        name            = "environment"
        property_values = ["production", "staging"]
        source          = "custom"
      }

      exclude {
        name            = "lifecycle"
        property_values = ["deprecated", "archived"]
      }
    }

    ref_name {
      include = ["~DEFAULT_BRANCH", "refs/heads/release/*"]
      exclude = []
    }
  }

  rules {
    deletion         = true
    non_fast_forward = true
  }
}