docs: enhance enterprise ruleset examples with repository target support and conditions

Author: Ravio1i

examples/enterprise_rulesets/push_rulesets.tf

@@ -25,6 +25,7 @@ resource "github_enterprise_ruleset" "push_restrictions" {
     # Target all organizations
     organization_name {
       include = ["~ALL"]
+      exclude = []
     }
 
     # Target all repositories
@@ -105,10 +106,12 @@ resource "github_enterprise_ruleset" "security_push_restrictions" {
   conditions {
     organization_name {
       include = ["~ALL"]
+      exclude = []
     }
 
     repository_name {
       include = ["*-prod", "*-production"]
+      exclude = []
     }
   }
 

examples/enterprise_rulesets/repository_ruleset.tf

@@ -108,10 +108,14 @@ resource "github_enterprise_ruleset" "org_id_repository_rules" {
   conditions {
     # Use organization_id instead of organization_name
     # This is useful when you know the specific org IDs
-    organization_id = [123456, 789012]
+    organization_id {
+      organization_ids = [123456, 789012]
+    }
 
     # Use repository_id for specific repositories
-    repository_id = [111111, 222222]
+    repository_id {
+      repository_ids = [111111, 222222]
+    }
   }
 
   rules {

examples/enterprise_rulesets/tag_ruleset.tf

@@ -19,11 +19,13 @@ resource "github_enterprise_ruleset" "tag_protection" {
     # Target all organizations
     organization_name {
       include = ["~ALL"]
+      exclude = []
     }
 
     # Target all repositories
     repository_name {
       include = ["~ALL"]
+      exclude = []
     }
 
     # Target specific tag patterns (required for tag target)
@@ -83,15 +85,18 @@ resource "github_enterprise_ruleset" "dev_tag_protection" {
   conditions {
     organization_name {
       include = ["~ALL"]
+      exclude = []
     }
 
     repository_name {
       include = ["~ALL"]
+      exclude = []
     }
 
     # Only apply to development/snapshot tags
     ref_name {
       include = ["*-SNAPSHOT", "*-dev"]
+      exclude = []
     }
   }
 

website/docs/d/enterprise_ruleset.html.markdown

@@ -28,7 +28,7 @@ data "github_enterprise_ruleset" "example" {
 
 - `name` - (String) The name of the ruleset.
 
-- `target` - (String) The target of the ruleset. Possible values are `branch`, `tag`, and `push`.
+- `target` - (String) The target of the ruleset. Possible values are `branch`, `tag`, `push`, and `repository`.
 
 - `enforcement` - (String) The enforcement level of the ruleset. Possible values are `disabled`, `active`, and `evaluate`.
 
@@ -112,6 +112,8 @@ data "github_enterprise_ruleset" "example" {
 
 - `pull_request` - (List) Require all commits be made to a non-target branch and submitted via a pull request. (see [below for nested schema](#rulespull_request))
 
+- `copilot_code_review` - (List) Automatically request Copilot code review for new pull requests. (see [below for nested schema](#rulescopilot_code_review))
+
 - `required_status_checks` - (List) Status checks that are required. (see [below for nested schema](#rulesrequired_status_checks))
 
 - `required_workflows` - (List) Actions workflows that are required. (see [below for nested schema](#rulesrequired_workflows))
@@ -136,6 +138,16 @@ data "github_enterprise_ruleset" "example" {
 
 - `file_extension_restriction` - (List) File extension restrictions for push rulesets. (see [below for nested schema](#rulesfile_extension_restriction))
 
+- `repository_creation` - (Boolean) Only allow users with bypass permission to create repositories. Only valid for `repository` target.
+
+- `repository_deletion` - (Boolean) Only allow users with bypass permission to delete repositories. Only valid for `repository` target.
+
+- `repository_transfer` - (Boolean) Only allow users with bypass permission to transfer repositories. Only valid for `repository` target.
+
+- `repository_name` - (List) Restrict repository names to match specified patterns. Only valid for `repository` target. (see [below for nested schema](#rulesrepository_name))
+
+- `repository_visibility` - (List) Restrict repository visibility changes. Only valid for `repository` target. (see [below for nested schema](#rulesrepository_visibility))
+
 ### rules.pull_request
 
 - `dismiss_stale_reviews_on_push` - (Boolean) New, reviewable commits pushed will dismiss previous pull request review approvals.
@@ -148,22 +160,36 @@ data "github_enterprise_ruleset" "example" {
 
 - `required_review_thread_resolution` - (Boolean) All conversations on code must be resolved before a pull request can be merged.
 
+- `allowed_merge_methods` - (List of String) The merge methods allowed for pull requests. Possible values are `merge`, `squash`, and `rebase`.
+
+### rules.copilot_code_review
+
+- `review_on_push` - (Boolean) Copilot automatically reviews each new push to the pull request.
+
+- `review_draft_pull_requests` - (Boolean) Copilot automatically reviews draft pull requests before they are marked as ready for review.
+
 ### rules.required_status_checks
 
 - `required_check` - (List) Status checks that are required. (see [below for nested schema](#rulesrequired_status_checksrequired_check))
 
 - `strict_required_status_checks_policy` - (Boolean) Whether pull requests targeting a matching branch must be tested with the latest code.
 
+- `do_not_enforce_on_create` - (Boolean) Allow repositories and branches to be created if a check would otherwise prohibit it.
+
 ### rules.required_status_checks.required_check
 
 - `context` - (String) The status check context name that must be present on the commit.
 
 - `integration_id` - (Number) The optional integration ID that this status check must originate from.
 
+- `do_not_enforce_on_create` - (Boolean) Allow repositories and branches to be created if a check would otherwise prohibit it.
+
 ### rules.required_workflows
 
 - `required_workflow` - (List) Actions workflows that are required. (see [below for nested schema](#rulesrequired_workflowsrequired_workflow))
 
+- `do_not_enforce_on_create` - (Boolean) Allow repositories and branches to be created if a check would otherwise prohibit it.
+
 ### rules.required_workflows.required_workflow
 
 - `repository_id` - (Number) The ID of the repository.
@@ -249,3 +275,15 @@ data "github_enterprise_ruleset" "example" {
 ### rules.file_extension_restriction
 
 - `restricted_file_extensions` - (List of String) The file extensions that are restricted from being pushed to the commit graph.
+
+### rules.repository_name
+
+- `pattern` - (String) The pattern to match repository names against.
+
+- `negate` - (Boolean) If true, the rule will fail if the pattern matches.
+
+### rules.repository_visibility
+
+- `internal` - (Boolean) Allow internal visibility for repositories.
+
+- `private` - (Boolean) Allow private visibility for repositories.

website/docs/r/enterprise_ruleset.html.markdown

@@ -266,13 +266,58 @@ resource "github_enterprise_ruleset" "commit_patterns" {
 }
 ```
 
+### Repository Target Ruleset
+
+```hcl
+resource "github_enterprise_ruleset" "repository_management" {
+  enterprise_slug = "my-enterprise"
+  name            = "repository-management"
+  target          = "repository"
+  enforcement     = "active"
+
+  bypass_actors {
+    actor_id    = 1
+    actor_type  = "OrganizationAdmin"
+    bypass_mode = "always"
+  }
+
+  conditions {
+    organization_name {
+      include = ["~ALL"]
+      exclude = []
+    }
+
+    repository_name {
+      include = ["~ALL"]
+      exclude = []
+    }
+  }
+
+  rules {
+    repository_creation = true
+    repository_deletion = true
+    repository_transfer = true
+
+    repository_name {
+      pattern = "^[a-z][a-z0-9-]*$"
+      negate  = false
+    }
+
+    repository_visibility {
+      internal = true
+      private  = true
+    }
+  }
+}
+```
+
 ## Argument Reference
 
 - `enterprise_slug` - (Required) (String) The slug of the enterprise.
 
 - `name` - (Required) (String) The name of the ruleset.
 
-- `target` - (Required) (String) Possible values are `branch`, `tag` and `push`. Note: The `push` target is in beta and is subject to change.
+- `target` - (Required) (String) Possible values are `branch`, `tag`, `push`, and `repository`. Note: The `push` and `repository` targets are in beta and are subject to change.
 
 - `enforcement` - (Required) (String) Possible values for Enforcement are `disabled`, `active`, `evaluate`. Note: `evaluate` is currently only supported for owners of type `organization`.
 
@@ -326,6 +371,16 @@ The `rules` block supports the following:
 
 - `file_extension_restriction` - (Optional) (Block List, Max: 1) Prevent commits that include files with specified file extensions from being pushed to the commit graph. This rule only applies to rulesets with target `push`. (see [below for nested schema](#rulesfile_extension_restriction))
 
+- `repository_creation` - (Optional) (Boolean) Only allow users with bypass permission to create repositories. Only valid for `repository` target.
+
+- `repository_deletion` - (Optional) (Boolean) Only allow users with bypass permission to delete repositories. Only valid for `repository` target.
+
+- `repository_transfer` - (Optional) (Boolean) Only allow users with bypass permission to transfer repositories. Only valid for `repository` target.
+
+- `repository_name` - (Optional) (Block List, Max: 1) Restrict repository names to match specified patterns. Only valid for `repository` target. (see [below for nested schema](#rulesrepository_name))
+
+- `repository_visibility` - (Optional) (Block List, Max: 1) Restrict repository visibility changes. Only valid for `repository` target. (see [below for nested schema](#rulesrepository_visibility))
+
 #### rules.pull_request
 
 - `dismiss_stale_reviews_on_push` - (Optional) (Boolean) New, reviewable commits pushed will dismiss previous pull request review approvals. Defaults to `false`.
@@ -338,6 +393,8 @@ The `rules` block supports the following:
 
 - `required_review_thread_resolution` - (Optional) (Boolean) All conversations on code must be resolved before a pull request can be merged. Defaults to `false`.
 
+- `allowed_merge_methods` - (Optional) (List of String, Min: 1) The merge methods allowed for pull requests. Possible values are `merge`, `squash`, and `rebase`.
+
 #### rules.copilot_code_review
 
 - `review_on_push` - (Optional) (Boolean) Copilot automatically reviews each new push to the pull request. Defaults to `false`.
@@ -452,6 +509,18 @@ The `rules` block supports the following:
 
 - `restricted_file_extensions` - (Required) (List of String, Min: 1) The file extensions that are restricted from being pushed to the commit graph.
 
+#### rules.repository_name
+
+- `pattern` - (Required) (String) The pattern to match repository names against.
+
+- `negate` - (Optional) (Boolean) If true, the rule will fail if the pattern matches. Defaults to `false`.
+
+#### rules.repository_visibility
+
+- `internal` - (Optional) (Boolean) Allow internal visibility for repositories. Defaults to `false`.
+
+- `private` - (Optional) (Boolean) Allow private visibility for repositories. Defaults to `false`.
+
 ### bypass_actors
 
 - `actor_id` - (Optional) (Number) The ID of the actor that can bypass a ruleset. When `actor_type` is `OrganizationAdmin`, this should be set to `1`. Some resources such as DeployKey do not have an ID and this should be omitted.